cryptbot | f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

4.2MB
MD5

baf330c66dc494f59980816acd04c9da
SHA1

7f394f6664318aae1e8b351ee8f6952957bd957c
SHA256

8ba4bd3b729779ced975109d4c7c427baf7ab6b011bf9ac1c0ea0419c102bb60
SHA512

1dccc6560b5b5a2a921501a3fe115fa7338bc7d354bce2292f2326d02fa7fcbf85c01d6143d1d857920f3573de4d8fe375fc5afd4bdefcd2c26224109c0d667e
SSDEEP

98304:xcCvLUBsgrye6P8kqRj0FZp4zwkVyEXnXOb+6V:xBLUCgry5P8zRwFZez7BubP

Malware Config

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral4/memory/4564-212-0x0000000004780000-0x0000000004823000-memory.dmp	family_cryptbot
behavioral4/memory/4564-213-0x0000000004780000-0x0000000004823000-memory.dmp	family_cryptbot
behavioral4/memory/4564-214-0x0000000004780000-0x0000000004823000-memory.dmp	family_cryptbot

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/memory/4456-96-0x0000000004A60000-0x0000000004A82000-memory.dmp	family_redline
behavioral4/memory/4456-123-0x0000000004B00000-0x0000000004B20000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral4/memory/4456-96-0x0000000004A60000-0x0000000004A82000-memory.dmp	family_sectoprat
behavioral4/memory/4456-123-0x0000000004B00000-0x0000000004B20000-memory.dmp	family_sectoprat
behavioral4/memory/4456-192-0x0000000007440000-0x0000000007450000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral4/memory/3292-145-0x0000000002F80000-0x000000000301D000-memory.dmp	family_vidar
behavioral4/memory/3292-149-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000700000002321d-49.dat	aspack_v212_v242
behavioral4/files/0x0007000000023219-44.dat	aspack_v212_v242
behavioral4/files/0x0007000000023218-43.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Mon206987d94f0ed4.exe

Executes dropped EXE 13 IoCs

pid	Process
4212	setup_install.exe
4520	Mon206987d94f0ed4.exe
5076	Mon20dfbf5709ab4.exe
2452	Mon2010d77a08c41abda.exe
3292	Mon20ea2d1a99fe5.exe
4456	Mon207fb86dc43e314.exe
4836	Mon20f645bba5.exe
4668	Mon204f125a31b.exe
3756	Mon200e0fb06f0e4eb.exe
1184	Mon20261d41513882.exe
4532	Mon206987d94f0ed4.exe
2708	Talune.exe.com
4564	Talune.exe.com

Loads dropped DLL 6 IoCs

pid	Process
4212	setup_install.exe
4212	setup_install.exe
4212	setup_install.exe
4212	setup_install.exe
4212	setup_install.exe
4212	setup_install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Mon200e0fb06f0e4eb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	iplogger.org
17	iplogger.org
19	iplogger.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1900	4212	WerFault.exe	85
412	3292	WerFault.exe	102
4568	3292	WerFault.exe	102
4216	3292	WerFault.exe	102
2388	3292	WerFault.exe	102
2592	3292	WerFault.exe	102
4732	3292	WerFault.exe	102
4160	3292	WerFault.exe	102
3696	3292	WerFault.exe	102
4272	3292	WerFault.exe	102
956	2452	WerFault.exe	97
2076	3292	WerFault.exe	102
4896	3292	WerFault.exe	102

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon2010d77a08c41abda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon2010d77a08c41abda.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon2010d77a08c41abda.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4312	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
2452	Mon2010d77a08c41abda.exe
2452	Mon2010d77a08c41abda.exe
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2452	Mon2010d77a08c41abda.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	Mon204f125a31b.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	1184	Mon20261d41513882.exe
Token: SeDebugPrivilege	4456	Mon207fb86dc43e314.exe
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeCreateGlobalPrivilege	1184	dwm.exe
Token: SeChangeNotifyPrivilege	1184	dwm.exe
Token: 33	1184	dwm.exe
Token: SeIncBasePriorityPrivilege	1184	dwm.exe
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	1184	dwm.exe
Token: SeCreatePagefilePrivilege	1184	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2708	Talune.exe.com
2708	Talune.exe.com
2708	Talune.exe.com
4564	Talune.exe.com
4564	Talune.exe.com
4564	Talune.exe.com
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
2708	Talune.exe.com
2708	Talune.exe.com
2708	Talune.exe.com
4564	Talune.exe.com
4564	Talune.exe.com
4564	Talune.exe.com
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3480	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 4212	956	setup_installer.exe	85
PID 956 wrote to memory of 4212	956	setup_installer.exe	85
PID 956 wrote to memory of 4212	956	setup_installer.exe	85
PID 4212 wrote to memory of 2076	4212	setup_install.exe	145
PID 4212 wrote to memory of 2076	4212	setup_install.exe	145
PID 4212 wrote to memory of 2076	4212	setup_install.exe	145
PID 4212 wrote to memory of 732	4212	setup_install.exe	137
PID 4212 wrote to memory of 732	4212	setup_install.exe	137
PID 4212 wrote to memory of 732	4212	setup_install.exe	137
PID 4212 wrote to memory of 2980	4212	setup_install.exe	90
PID 4212 wrote to memory of 2980	4212	setup_install.exe	90
PID 4212 wrote to memory of 2980	4212	setup_install.exe	90
PID 4212 wrote to memory of 3952	4212	setup_install.exe	91
PID 4212 wrote to memory of 3952	4212	setup_install.exe	91
PID 4212 wrote to memory of 3952	4212	setup_install.exe	91
PID 4212 wrote to memory of 4808	4212	setup_install.exe	92
PID 4212 wrote to memory of 4808	4212	setup_install.exe	92
PID 4212 wrote to memory of 4808	4212	setup_install.exe	92
PID 4212 wrote to memory of 4352	4212	setup_install.exe	93
PID 4212 wrote to memory of 4352	4212	setup_install.exe	93
PID 4212 wrote to memory of 4352	4212	setup_install.exe	93
PID 4212 wrote to memory of 3532	4212	setup_install.exe	94
PID 4212 wrote to memory of 3532	4212	setup_install.exe	94
PID 4212 wrote to memory of 3532	4212	setup_install.exe	94
PID 2076 wrote to memory of 3732	2076	cmd.exe	95
PID 2076 wrote to memory of 3732	2076	cmd.exe	95
PID 2076 wrote to memory of 3732	2076	cmd.exe	95
PID 732 wrote to memory of 4520	732	cmd.exe	96
PID 732 wrote to memory of 4520	732	cmd.exe	96
PID 732 wrote to memory of 4520	732	cmd.exe	96
PID 4212 wrote to memory of 4512	4212	setup_install.exe	98
PID 4212 wrote to memory of 4512	4212	setup_install.exe	98
PID 4212 wrote to memory of 4512	4212	setup_install.exe	98
PID 4212 wrote to memory of 4712	4212	setup_install.exe	100
PID 4212 wrote to memory of 4712	4212	setup_install.exe	100
PID 4212 wrote to memory of 4712	4212	setup_install.exe	100
PID 4212 wrote to memory of 2128	4212	setup_install.exe	101
PID 4212 wrote to memory of 2128	4212	setup_install.exe	101
PID 4212 wrote to memory of 2128	4212	setup_install.exe	101
PID 3952 wrote to memory of 5076	3952	cmd.exe	99
PID 3952 wrote to memory of 5076	3952	cmd.exe	99
PID 2980 wrote to memory of 2452	2980	cmd.exe	97
PID 2980 wrote to memory of 2452	2980	cmd.exe	97
PID 2980 wrote to memory of 2452	2980	cmd.exe	97
PID 4808 wrote to memory of 3292	4808	cmd.exe	102
PID 4808 wrote to memory of 3292	4808	cmd.exe	102
PID 4808 wrote to memory of 3292	4808	cmd.exe	102
PID 4352 wrote to memory of 4456	4352	cmd.exe	103
PID 4352 wrote to memory of 4456	4352	cmd.exe	103
PID 4352 wrote to memory of 4456	4352	cmd.exe	103
PID 3532 wrote to memory of 4836	3532	cmd.exe	104
PID 3532 wrote to memory of 4836	3532	cmd.exe	104
PID 3532 wrote to memory of 4836	3532	cmd.exe	104
PID 2128 wrote to memory of 4668	2128	cmd.exe	106
PID 2128 wrote to memory of 4668	2128	cmd.exe	106
PID 4512 wrote to memory of 1184	4512	cmd.exe	142
PID 4512 wrote to memory of 1184	4512	cmd.exe	142
PID 4712 wrote to memory of 3756	4712	cmd.exe	108
PID 4712 wrote to memory of 3756	4712	cmd.exe	108
PID 4712 wrote to memory of 3756	4712	cmd.exe	108
PID 4520 wrote to memory of 4532	4520	Mon206987d94f0ed4.exe	111
PID 4520 wrote to memory of 4532	4520	Mon206987d94f0ed4.exe	111
PID 4520 wrote to memory of 4532	4520	Mon206987d94f0ed4.exe	111
PID 3756 wrote to memory of 4748	3756	Mon200e0fb06f0e4eb.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon206987d94f0ed4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon206987d94f0ed4.exe
      Mon206987d94f0ed4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon206987d94f0ed4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon206987d94f0ed4.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2010d77a08c41abda.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon2010d77a08c41abda.exe
      Mon2010d77a08c41abda.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 376
        5⤵
        Program crash
        
        PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20dfbf5709ab4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20dfbf5709ab4.exe
      Mon20dfbf5709ab4.exe
      4⤵
      Executes dropped EXE
      PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20ea2d1a99fe5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20ea2d1a99fe5.exe
      Mon20ea2d1a99fe5.exe
      4⤵
      Executes dropped EXE
      PID:3292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 824
        5⤵
        Program crash
        
        PID:412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 832
        5⤵
        Program crash
        
        PID:4568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 832
        5⤵
        Program crash
        
        PID:4216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 880
        5⤵
        Program crash
        
        PID:2388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1004
        5⤵
        Program crash
        
        PID:2592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1076
        5⤵
        Program crash
        
        PID:4732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1084
        5⤵
        Program crash
        
        PID:4160
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1508
        5⤵
        Program crash
        
        PID:3696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1608
        5⤵
        Program crash
        
        PID:4272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1508
        5⤵
        Program crash
        
        PID:2076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1048
        5⤵
        Program crash
        
        PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon207fb86dc43e314.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon207fb86dc43e314.exe
      Mon207fb86dc43e314.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20f645bba5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20f645bba5.exe
      Mon20f645bba5.exe
      4⤵
      Executes dropped EXE
      PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20261d41513882.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20261d41513882.exe
      Mon20261d41513882.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon200e0fb06f0e4eb.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon200e0fb06f0e4eb.exe
      Mon200e0fb06f0e4eb.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        5⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Conservava.xlam
        5⤵
        
        PID:4368
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^aXXPLdOdpKvHEwwcALYIInWmgGDtBFsVVodqfjpjFmFfheNjFpLslXxTwbAyMJPDzALcKwugCMepSGkjSsms$" Suoi.xlam
        7⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com
        
        Talune.exe.com K
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com K
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping GAWKBMOT -n 30
        7⤵
        Runs ping.exe
        
        PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon204f125a31b.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon204f125a31b.exe
      Mon204f125a31b.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 572
    3⤵
    - Program crash
    PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4212 -ip 4212
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3292 -ip 3292
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3292 -ip 3292
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3292 -ip 3292
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3292 -ip 3292
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3292 -ip 3292
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3292 -ip 3292
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3292 -ip 3292
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3292 -ip 3292
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3292 -ip 3292
1⤵
PID:732

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3292 -ip 3292
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3292 -ip 3292
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon200e0fb06f0e4eb.exe

Filesize
1.5MB

MD5
f3d679a13d543153a37d9d95a6118ffd

SHA1
8064e6f869049bf3682b802b2ffeafbc60383288

SHA256
164e93724abba0dd0d6ef012b48eaffea77c983a7a7828f2663b1ab8c26d348f

SHA512
6942757c458000b27427fc2a2e607ede781382618febb1f0909a240a3d55d7af3bc3664d6363ca536469cc3f44e34bdaece3ec801c92d288e79758785eaf2c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon200e0fb06f0e4eb.exe

Filesize
5KB

MD5
a307b7a2f1ecad2e8cd832bb6e33f583

SHA1
08ea22b49c2e2e1a9a7795d60663a25d4b1797d4

SHA256
bde8fc75ec8c1744fa3b07b1d18da771c52b40c453226379364935f10836d65c

SHA512
5385286db4ecd30b8f537e00c5b63f0f5e406707805295741478863ba83dd167606d857f8d637be4182f4b1109a1931fd5c7614c56058e73804b1e2aa66ef9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon2010d77a08c41abda.exe

Filesize
189KB

MD5
e09173820ea91934d092118108068292

SHA1
8ef425cbcf02688a4a2f4dfac37cc255b1368eec

SHA256
8dbea84a69cd6ddeaef50739f8f520f0cdd0258baecd517b1832d154fb18b958

SHA512
27dda3e88b73c8b0761d5a3a0d311ac3063661002e92a5ce88ceac2f958119d6b46e3466c6c0e282bc4789fad314746e34e1ad55ecbd5da7f8f46e435d091117

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20261d41513882.exe

Filesize
121KB

MD5
e5b616672f1330a71f7b32b7ca81480a

SHA1
ea053fb53f2162c4d47113673d822165289f09cb

SHA256
f71479eca4d5d976aaba365a6f999729d579c538c10c39808b6490ba770cd472

SHA512
d840a1a66e6ec89a69a9a99e6477ce2afd1a7d1d4800357a84b1a82e8d2d856ed3c02e62eeae002a6ee7eb932593b5dd8b122da2e17ac6a7915f4603292e3318

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20261d41513882.exe

Filesize
14KB

MD5
4f50ceb1fc8e7164bfcbfade6b62160e

SHA1
b3e1ec2c50259077634b9ad5e5e1c3524283ea71

SHA256
8c3f3b49a7a66ce47f90408a07af64c5c6d2f21f69cebc866c3cef2b28bf2215

SHA512
2b4411c0438d52c275b00d5d7f9781569c448de54563382493672615270c41a9d69c6f5480181a9b813a20f0af6c676f5b47ba48120f3ba269aec480c6ca7422

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon204f125a31b.exe

Filesize
8KB

MD5
ce3a49b916b81a7d349c0f8c9f283d34

SHA1
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4

SHA256
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40

SHA512
e7e0150f3c79300c4e11ca391de9553440846c4b9594b49d8854769a347deb4ba10d5f7d3e7684e3a942ff15b61484910adc12014495adef68eaeb98f887ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon206987d94f0ed4.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon207fb86dc43e314.exe

Filesize
279KB

MD5
af23965c3e2673940b70f436bb45f766

SHA1
ccc8b03ea8c568f1b333458cff3f156898fc29f7

SHA256
e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503

SHA512
f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20dfbf5709ab4.exe

Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20ea2d1a99fe5.exe

Filesize
557KB

MD5
e8dd2c2b42ddc701b1e2c34cc1fe99b1

SHA1
c3751581986d6cada60747843792d286fd671657

SHA256
835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17

SHA512
e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20f645bba5.exe

Filesize
631KB

MD5
64be7ccaa252abfd99ecf77bc8cce4d5

SHA1
9a9633c3cd6b394d149982021e008da3ceb64be0

SHA256
d9e8d0bdac5bc0b2a4958536474496fcaaf964d135cd1fe49d1e566b6640199c

SHA512
392782e14a78c1c157ee2935990805b13e0db39cd7629be7c880fe05c078c36a5807fb36e70320e6997399be88e85b8c51272fa51a48863bf2ea99c669e32de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\Mon20f645bba5.exe

Filesize
605KB

MD5
50aef5d612c57cb2a68c3720ddba06d3

SHA1
948c046a676c73f603364cae9990db07096e1617

SHA256
91fcf523857efeb67d606ca99b04cb51bcb1272093295522fd6be0ed8027cd71

SHA512
4f4966a37b480806bc0b61ce61d2046d547e0806d3309e9dfb824ae45a06dc4daeeee6eb91494bd7c911d92e403e2a57678e770bcdda0c08605f081e41db2b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB3C7277\setup_install.exe

Filesize
2.1MB

MD5
54e1a0e5aef038ef6007bb47bef17859

SHA1
b2a12edd940f2ce9989f7ac8cbb70f09eeca7747

SHA256
a9a27d84c511522e7ed72004fb36f3dd438dfab82ae8768e45d21ad6f438a4b9

SHA512
b037817387fe0676b370001972a4abe71282f22373774f10a2a3ca039016fe434b7f18663b941bf17d265f8253f25dbe97b5a7336976a4a8de6e6cc555729b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cercare.xlam

Filesize
474KB

MD5
f4770921654fdbeb37faf0a7d419079a

SHA1
9b07a59e50615fb33d9f3aa40bce931b3f8cc95b

SHA256
6b40ebab1ff4b2c9edfc2d243f564ec2828f5e2dcc9e9deb5e2161cd1c37cb45

SHA512
b9abd064348d5f13961782e3e4d5e20e33b1e4fc2c152b0a510d52f5a27b885e4fcafe1744351518a59984d6e501592922f856d90ed55106af86a2fe1dc4ac82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Conservava.xlam

Filesize
439B

MD5
67db09870ad0361cb90cfcceffe5c87c

SHA1
3d5071241bc942beab03782aabd90e2618fac1df

SHA256
455e2f47d0fbeee0f9e5b5ea7b51ce923d85fb98ba46572ccf6740814fa524a0

SHA512
1f0d712bf99001a38d3c7af42ca0a6ab226660b18f422963305aef35e33064ad43949eb9b516f3c3efdf8bf4b7bd5e5f8d02baebd3762f79fbdf3850ffc879cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K

Filesize
287KB

MD5
3c7f81f28d842e8696c9296cc54c8739

SHA1
7555c333659a4630a935df23ce5faeaea2cc6ea7

SHA256
4ad3433e2b086c295edda8d8add75adb33e00b64cd07dbfdd72e599c20406485

SHA512
84239b38b078964e2f26d2fbd05eeb190eecee23463237b63e9361b73953c0011724ff8c97df4ab5322c61d72b9187318bc9f8861ee4d67af0e12362a32d59d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Passaggio.xlam

Filesize
69KB

MD5
92d09de2035d31b7bf87550cb9915ff3

SHA1
3e118edecf5de44a43ccc3a862ad60e586e25713

SHA256
ebe9905c946cf0d43bd67e9e00ed580d95e6b87dd9409818ff223697e9435c52

SHA512
5a5e435dac1004bacf403b866a0b76c502aa725c28cf751fd584398a0cb3535cc098f32b9a8c762912883e0be94dca8830b40947003793b3ff239a9afa9e0fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.xlam

Filesize
265KB

MD5
1c6c6f626835581d39ed0615a92fcb3c

SHA1
63e9961eb8baf53185c2ce9ccbff5c104bba8f45

SHA256
7182fdbb3917d1aa1db4375d9d4d432ac1e8bcefe8c469d13a3cc818493975a2

SHA512
27fd0dec9e61757e40d7c29a0151e43abea069658daaa5cbca5f1c9f0a3ab19686feb4df667deea7fd243c21a6f62ccf431cec7e94f49215d66a4e273eb1e553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com

Filesize
426KB

MD5
b2b060a740d21f9904d0aecd391f3bec

SHA1
c678a12b2a838029e2c9c012891a63b38cafd719

SHA256
86114550ae3afdd7bc2192be57f8d581abe8d3702c23aa2474a603bd10cdd6e6

SHA512
adb19283dbd39c745068c38efd7f7dd66d32cb4977826f5570072ace67c8cd3486856911439cb21ef89181577720373a117942c06be45b0a4e48d328b7357497

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com

Filesize
263KB

MD5
a3b669eee15b904bfc517926e311ce0c

SHA1
7e5f938f16ed05cb1c50721b2371ec152c5a83ac

SHA256
2bcd4bb266fd3cec36a4a179f67f116211a7404706f2fa34a29281d451f82ed9

SHA512
8b284451305fcd3ab1577d0aaeec3d68dfbeaaa6fa654e87cf47342a6221702b4924200555d2e723955347238da6ce3aad9355b9e893be7e20980abfa52f9a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdeh2ey1.zem.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1184-94-0x0000000000DF0000-0x0000000000E14000-memory.dmp

Filesize
144KB

Download
memory/1184-120-0x0000000002D70000-0x0000000002D8C000-memory.dmp

Filesize
112KB

Download
memory/1184-107-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/1184-148-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/1184-131-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/2452-138-0x0000000002D50000-0x0000000002D59000-memory.dmp

Filesize
36KB

Download
memory/2452-136-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/2452-143-0x0000000000400000-0x0000000002CBE000-memory.dmp

Filesize
40.7MB

Download
memory/2452-204-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/3292-144-0x0000000003070000-0x0000000003170000-memory.dmp

Filesize
1024KB

Download
memory/3292-145-0x0000000002F80000-0x000000000301D000-memory.dmp

Filesize
628KB

Download
memory/3292-203-0x0000000003070000-0x0000000003170000-memory.dmp

Filesize
1024KB

Download
memory/3292-149-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/3480-189-0x0000000003590000-0x00000000035A6000-memory.dmp

Filesize
88KB

Download
memory/3732-82-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download
memory/3732-142-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/3732-188-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download
memory/3732-184-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/3732-185-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/3732-106-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3732-183-0x0000000007990000-0x00000000079A4000-memory.dmp

Filesize
80KB

Download
memory/3732-182-0x0000000007980000-0x000000000798E000-memory.dmp

Filesize
56KB

Download
memory/3732-181-0x0000000007950000-0x0000000007961000-memory.dmp

Filesize
68KB

Download
memory/3732-118-0x0000000005F90000-0x00000000062E4000-memory.dmp

Filesize
3.3MB

Download
memory/3732-112-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/3732-180-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/3732-179-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/3732-177-0x0000000007D90000-0x000000000840A000-memory.dmp

Filesize
6.5MB

Download
memory/3732-178-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/3732-163-0x000000007F3B0000-0x000000007F3C0000-memory.dmp

Filesize
64KB

Download
memory/3732-175-0x00000000073F0000-0x0000000007493000-memory.dmp

Filesize
652KB

Download
memory/3732-91-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/3732-176-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download
memory/3732-174-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/3732-164-0x000000006EE20000-0x000000006EE6C000-memory.dmp

Filesize
304KB

Download
memory/3732-162-0x00000000069A0000-0x00000000069D2000-memory.dmp

Filesize
200KB

Download
memory/3732-81-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/3732-84-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3732-85-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3732-83-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/4212-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-140-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4212-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4212-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4212-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4212-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4212-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4212-134-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4212-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4212-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4212-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4212-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-58-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4212-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4456-96-0x0000000004A60000-0x0000000004A82000-memory.dmp

Filesize
136KB

Download
memory/4456-121-0x0000000007450000-0x00000000079F4000-memory.dmp

Filesize
5.6MB

Download
memory/4456-130-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/4456-93-0x0000000004800000-0x000000000482F000-memory.dmp

Filesize
188KB

Download
memory/4456-129-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download
memory/4456-132-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/4456-128-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/4456-127-0x0000000007370000-0x00000000073BC000-memory.dmp

Filesize
304KB

Download
memory/4456-123-0x0000000004B00000-0x0000000004B20000-memory.dmp

Filesize
128KB

Download
memory/4456-126-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/4456-125-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/4456-124-0x0000000007A00000-0x0000000008018000-memory.dmp

Filesize
6.1MB

Download
memory/4456-119-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/4456-92-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download
memory/4456-122-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/4456-133-0x00000000080E0000-0x00000000081EA000-memory.dmp

Filesize
1.0MB

Download
memory/4456-192-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/4456-202-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/4564-209-0x0000000004780000-0x0000000004823000-memory.dmp

Filesize
652KB

Download
memory/4564-210-0x0000000004780000-0x0000000004823000-memory.dmp

Filesize
652KB

Download
memory/4564-211-0x0000000004780000-0x0000000004823000-memory.dmp

Filesize
652KB

Download
memory/4564-212-0x0000000004780000-0x0000000004823000-memory.dmp

Filesize
652KB

Download
memory/4564-213-0x0000000004780000-0x0000000004823000-memory.dmp

Filesize
652KB

Download
memory/4564-214-0x0000000004780000-0x0000000004823000-memory.dmp

Filesize
652KB

Download
memory/4668-95-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/4668-90-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/4668-87-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download