fabookie | 272501aa281816ae02b8b7ceb2ed9a8b98eb61a4f89a44d7d3f10d372ec25027

Analysis

max time kernel
238s
max time network
602s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

7.4MB
MD5

518b3e947e8a892d8b9c49800bfc2877
SHA1

73a8bb6a190613d55530a8fcab924975a192fb46
SHA256

4eb8c045243cb7746a602550b8e99e57be42ae93b5d39cbe3b2c3939d481590b
SHA512

9d75f45b4fe7ec6227fba508376dd52809198312b5afedb1abc85dd84b49ca9174f661703c7f6caea28d58fc20303ccf88d436f6a645288d69809d5594a2e4d9
SSDEEP

196608:xDLUCg7/GX8TfhtpVsN8KzUJ1RHEwUIhL/JOdtS:xfdg7/GXKfhDVsN8Ko1S8hboE

Score

10^/10

fabookie nullmixer redline socelars media13n v2user1 aspackv2 dropper execution infostealer spyware stealer

Malware Config

Extracted

Family

socelars

http://www.yarchworkshop.com/

Extracted

Family

redline

Botnet

v2user1

159.69.246.184:13127

Attributes

auth_value
0cd1ad671efa88aa6b92a97334b72134

Extracted

Family

redline

Botnet

media13n

65.108.69.168:13293

Attributes

auth_value
3cb0518973facc842139b0ea346245a8

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue169280cf3d91c87b7.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3984-167-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral4/memory/4828-199-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue1607f837bd50.exe	family_socelars

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue169280cf3d91c87b7.exe	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue169280cf3d91c87b7.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\11111.exe	Nirsoft
behavioral4/memory/2088-186-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4788 powershell.exe
852 powershell.exe

pid	process
4788	powershell.exe
852	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libcurl.dll	aspack_v212_v242

Executes dropped EXE 14 IoCs

Processes:

setup_install.exeTue169280cf3d91c87b7.exeTue16ca6572e2.exeTue16edfa40e1241.exeTue16d81b46bfe80f.exeTue16cb2666fdffa.exeTue16adaafcd1f4eb9a.exeTue16d038926a8.exeTue16f2d1010d03932e0.exeTue16ef909fed917.exeTue16d81b46bfe80f.exeTue16ef909fed917.exe11111.exeTue16d81b46bfe80f.exe

pid	process
2224	setup_install.exe
4640	Tue169280cf3d91c87b7.exe
2024	Tue16ca6572e2.exe
1644	Tue16edfa40e1241.exe
3068	Tue16d81b46bfe80f.exe
4484	Tue16cb2666fdffa.exe
4184	Tue16adaafcd1f4eb9a.exe
3500	Tue16d038926a8.exe
1084	Tue16f2d1010d03932e0.exe
752	Tue16ef909fed917.exe
3316	Tue16d81b46bfe80f.exe
3984	Tue16ef909fed917.exe
2088	11111.exe
4828	Tue16d81b46bfe80f.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exemsiexec.exe

pid	process
2224	setup_install.exe
2224	setup_install.exe
2224	setup_install.exe
2224	setup_install.exe
2224	setup_install.exe
2224	setup_install.exe
4148	msiexec.exe
4148	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Tue16ef909fed917.exeTue16d81b46bfe80f.exe

description	pid	process	target process
PID 752 set thread context of 3984	752	Tue16ef909fed917.exe	Tue16ef909fed917.exe
PID 3068 set thread context of 4828	3068	Tue16d81b46bfe80f.exe	Tue16d81b46bfe80f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4904	4484	WerFault.exe	Tue16cb2666fdffa.exe
2192	2024	WerFault.exe	Tue16ca6572e2.exe
4816	3984	WerFault.exe	Tue16ef909fed917.exe
4200	1644	WerFault.exe	Tue16edfa40e1241.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

852 powershell.exe
852 powershell.exe
4788 powershell.exe
4788 powershell.exe
852 powershell.exe
4788 powershell.exe

pid	process
852	powershell.exe
852	powershell.exe
4788	powershell.exe
4788	powershell.exe
852	powershell.exe
4788	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeTue16d81b46bfe80f.exeTue16ef909fed917.exeTue16d038926a8.exe

description	pid	process
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	3068	Tue16d81b46bfe80f.exe
Token: SeDebugPrivilege	752	Tue16ef909fed917.exe
Token: SeDebugPrivilege	3500	Tue16d038926a8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2576 wrote to memory of 2224	2576	setup_installer.exe	setup_install.exe
PID 2576 wrote to memory of 2224	2576	setup_installer.exe	setup_install.exe
PID 2576 wrote to memory of 2224	2576	setup_installer.exe	setup_install.exe
PID 2224 wrote to memory of 2304	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2304	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2304	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4060	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4060	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4060	2224	setup_install.exe	cmd.exe
PID 2304 wrote to memory of 852	2304	cmd.exe	powershell.exe
PID 2304 wrote to memory of 852	2304	cmd.exe	powershell.exe
PID 2304 wrote to memory of 852	2304	cmd.exe	powershell.exe
PID 4060 wrote to memory of 4788	4060	cmd.exe	powershell.exe
PID 4060 wrote to memory of 4788	4060	cmd.exe	powershell.exe
PID 4060 wrote to memory of 4788	4060	cmd.exe	powershell.exe
PID 2224 wrote to memory of 2216	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2216	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2216	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1684	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1684	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1684	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3852	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3852	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3852	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2876	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2876	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2876	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4008	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4008	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4008	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1332	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1332	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1332	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2952	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2952	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2952	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3040	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3040	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3040	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3060	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3060	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3060	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2596	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2596	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2596	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3484	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3484	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3484	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1344	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1344	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 1344	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4520	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4520	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4520	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2944	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2944	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 2944	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3272	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3272	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 3272	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4500	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4500	2224	setup_install.exe	cmd.exe
PID 2224 wrote to memory of 4500	2224	setup_install.exe	cmd.exe
PID 3040 wrote to memory of 4640	3040	cmd.exe	Tue169280cf3d91c87b7.exe

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue1607f837bd50.exe
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16d038926a8.exe
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d038926a8.exe
      Tue16d038926a8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16d81b46bfe80f.exe
    3⤵
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d81b46bfe80f.exe
      Tue16d81b46bfe80f.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d81b46bfe80f.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d81b46bfe80f.exe
        5⤵
        Executes dropped EXE
        
        PID:3316
    - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d81b46bfe80f.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d81b46bfe80f.exe
        5⤵
        Executes dropped EXE
        
        PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue1644f50e0bbcc.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue166ea2504a.exe
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue1613d0ad1b6.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue166e17f188ab5b.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue169280cf3d91c87b7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue169280cf3d91c87b7.exe
      Tue169280cf3d91c87b7.exe
      4⤵
      Executes dropped EXE
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16edfa40e1241.exe
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16edfa40e1241.exe
      Tue16edfa40e1241.exe
      4⤵
      Executes dropped EXE
      PID:1644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 276
        5⤵
        Program crash
        
        PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16cb2666fdffa.exe /mixtwo
    3⤵
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16cb2666fdffa.exe
      Tue16cb2666fdffa.exe /mixtwo
      4⤵
      Executes dropped EXE
      PID:4484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 420
        5⤵
        Program crash
        
        PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue160ec21e718e9.exe
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16adaafcd1f4eb9a.exe
    3⤵
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16adaafcd1f4eb9a.exe
      Tue16adaafcd1f4eb9a.exe
      4⤵
      Executes dropped EXE
      PID:4184
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" -Y .\CQUb7B.~X
        5⤵
        Loads dropped DLL
        
        PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16f2d1010d03932e0.exe
    3⤵
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16f2d1010d03932e0.exe
      Tue16f2d1010d03932e0.exe
      4⤵
      Executes dropped EXE
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16ef909fed917.exe
    3⤵
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16ef909fed917.exe
      Tue16ef909fed917.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16ef909fed917.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16ef909fed917.exe
        5⤵
        Executes dropped EXE
        
        PID:3984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 28
        6⤵
        Program crash
        
        PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue169162ad2d3da34b.exe
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16ca6572e2.exe
    3⤵
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16ca6572e2.exe
      Tue16ca6572e2.exe
      4⤵
      Executes dropped EXE
      PID:2024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 240
        5⤵
        Program crash
        
        PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4484 -ip 4484
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2024 -ip 2024
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3984 -ip 3984
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1644 -ip 1644
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue16d81b46bfe80f.exe.log

Filesize
700B

MD5
342f1c43dace4ddfe34db85a773f2721

SHA1
04bbf6f8807395cb790e7f4e75ec3d7ec8413f48

SHA256
54eb3a697ee93fdbd9ebe2b6d576d1d7f98d18b5e293d713b25acd71176bbf6d

SHA512
f943318dc9196ef5b857f9115e529c8c1d49910b772795edca42b6941fb3bdec50e3224ef48dadd42322adbbd4b3dab3c1b7aa20e58a8ed3ab7386e3c10c29fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
4b5180721d4dcfd3b7c2768ca7e89ecd

SHA1
f6e96b20bef9295c58c6c1c009b6de04d7cf1ab6

SHA256
46de0d05061396664620810f6248343051b4b51d8300979c0a06b3bc681352ef

SHA512
5c8163fb6f296cf12d2941c67c0471012350400b6d21d827e5d38ddf6ad4fd9c9db44c9132ef5d71b9cc78855bf49166715b721654374ddc34bc46d83dfbbe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
311KB

MD5
cc0d6b6813f92dbf5be3ecacf44d662a

SHA1
b968c57a14ddada4128356f6e39fb66c6d864d3f

SHA256
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498

SHA512
4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue1607f837bd50.exe

Filesize
1.4MB

MD5
367c574185ea01ac2ba69a1c8856ad57

SHA1
0b9b5af1ce8dce38937357f47e2817d85a6aba61

SHA256
18a630270e0ab33eccfb304269b4fa5bcefa565a1dbe3bd04f3f2a269646f5e9

SHA512
7862ad92b670e7193f266473c59166a6a9081ad28c66d328521aa288ad3ab92d9b98563b0fb768442706692224a69965d697b75dc974c73be934b5fd32f80a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue160ec21e718e9.exe

Filesize
120KB

MD5
dcde74f81ad6361c53ebdc164879a25c

SHA1
640f7b475864bd266edba226e86672101bf6f5c9

SHA256
cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b

SHA512
821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue1613d0ad1b6.exe

Filesize
1.5MB

MD5
204801e838e4a29f8270ab0ed7626555

SHA1
6ff2c20dc096eefa8084c97c30d95299880862b0

SHA256
13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a

SHA512
008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue1644f50e0bbcc.exe

Filesize
1.5MB

MD5
b0e64f3da02fe0bac5102fe4c0f65c32

SHA1
eaf3e3cb39714a9fae0f1024f81a401aaf412436

SHA256
dbc10a499e0c3bddcfa7266d5cce117343e0d8a164bdaa5d5dbcfee5d5392571

SHA512
579d4ba54a5a41cf2261360f0c009fd3e7b6990499e2366cb6f1eceacb2cc6215f053e780484908211b824711acbea389f3d91de6f40b9e2b6564baedd106805

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue166e17f188ab5b.exe

Filesize
381KB

MD5
0295436778d0d530c12a4f2576f9717f

SHA1
fc712556f67fc2ac6eef59db2783d0c4d5e45068

SHA256
8bfd2ae9f340057c1ba4c042215ccc3a461ea24277f2a77e23d915ceb495910a

SHA512
b05f7901cde3c772694a959d040eda981f67c6355611729deb3251feac60621122f0558b2ca36f9e2c6425d92b406f331267b75d4b42597f07e94825ffbfc2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue166ea2504a.exe

Filesize
8KB

MD5
7e32ef0bd7899fa465bb0bc866b21560

SHA1
115d09eeaff6bae686263d57b6069dd41f63c80c

SHA256
f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad

SHA512
9fbf4afc7a03460cd56f2456684108ccce9cfc8d31361bb49dd0531fa82b6b002450ab3c4c7f3d96f1dc55761615465828b1c33702d23d59fabe155a9db1b5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue169162ad2d3da34b.exe

Filesize
147KB

MD5
c709426184c7d412e0770fdcece52c60

SHA1
ba5caaa72a7f1338815a6f61767fbbcda3f61e52

SHA256
279d55e004ded5923888a2a5bf2e9e8295fa669a436e426396734def04565ea4

SHA512
7f5310126428128851249ce07f08c9d9410274eda04fbe4d8d5a0e4d6256f3fee96846fa0d3ce1206ce1c592c1b87d47bbd0083a47bd1a0726ea80c9804803f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue169280cf3d91c87b7.exe

Filesize
1.4MB

MD5
6a306f07fcb8c28197a292dcd39d8796

SHA1
ef25c24fd3918a0efd450c1c5c873265d5886626

SHA256
68fb1568af02a8bff326df6de053d082199db809aa925aefac2749c64f78994f

SHA512
84f938b3974be1b66872cdacb910ec580a2542068d018ac93662238de55a898a5d6df6e9a202a18138effc9308fffac1612149be879f1803bc73f5972f54b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16adaafcd1f4eb9a.exe

Filesize
1.9MB

MD5
54d2fc3e938c7bf779a02ff79ffa9539

SHA1
9245694f11c723ff909cab922a38d4af7609851f

SHA256
9eb31139aa92f94d5ec43d9842f987a0449638718ad1c0c513ab26d73427ee93

SHA512
909a8e7706ef84152d8350f4c7d6ca0aaae3b587bc62d2d466ec7b92649d4b63afca7ac24cc0f0aca02d43c4a49190734a2380de202606fc463ea6157eba74fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16ca6572e2.exe

Filesize
753KB

MD5
7362b881ec23ae11d62f50ee2a4b3b4c

SHA1
2ae1c2a39a8f8315380f076ade80028613b15f3e

SHA256
8af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2

SHA512
071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16cb2666fdffa.exe

Filesize
1.1MB

MD5
aa75aa3f07c593b1cd7441f7d8723e14

SHA1
f8e9190ccb6b36474c63ed65a74629ad490f2620

SHA256
af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

SHA512
b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d038926a8.exe

Filesize
181KB

MD5
f182ea979373a6a945e6f1ae89cb7d33

SHA1
7fa1fb74e5cb192c165ea0f05d907dedd16b5700

SHA256
d487a2ccf6e32b1be1d6001f3f849e494570d374d44dc3240f41141bce99dc26

SHA512
8c900b5a8f19d17cbea917110c832957beeb1044c2f6d14e44d068eccca0132c2ea42e974acd42c947a33dd9862756993d17e13bb8e03d1f65d656b739efb513

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16d81b46bfe80f.exe

Filesize
531KB

MD5
857255af921c3f8a5b60570971e2b496

SHA1
6f5389eb9c471e4b1ba6b83a55ece0bd1cf91ca9

SHA256
4e99924bcc2438c97482023e9ba8c1e412f5552a23eef9a51ad37280ee82b900

SHA512
e14ac63b8b19b88de72b9d58569dd38a889ffdb1bdf09ce7b9c2d7e26c49d06caf209d16059477b03b447ed52a16e1e0d8c04854986e4f79ebd31235e39f9d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16edfa40e1241.exe

Filesize
320KB

MD5
1ddcb6c220d2465e0924cf0d51b2d59b

SHA1
97cfca94e7182a19e055003788c2f7dabf16338f

SHA256
3640db2660a3e68831afa008f63c9542916a3e49c5648d487a217011a31d1dac

SHA512
7b9e7218b4f710fc12eb297002784e599b62325a07fd85091804562c69a621d3b3dcc354f4788e86d96c18a3a235fcafd40c910cdc6cb827de59f860bd72f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16ef909fed917.exe

Filesize
532KB

MD5
43e459f57576305386c2a225bfc0c207

SHA1
13511d3f0d41fe28981961f87c3c29dc1aa46a70

SHA256
fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787

SHA512
33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\Tue16f2d1010d03932e0.exe

Filesize
147KB

MD5
fb6abbe70588dd2b3fb91161410f2805

SHA1
193085164a8d2caa9e1e4e6d619be6481b5623b9

SHA256
9283fb214b006f9e2fd49fe21798a44ae5663566b1b2b08b448db7bdda996859

SHA512
9f2e7045982e61efeb4b3ec5523b0cc63d096166fcb02ea1d66fcdbf0f2fbec575baa381f7727c9222ea23b65038e4f98479514ab3168b6d9f5138cb64bb177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A6E067\setup_install.exe

Filesize
2.1MB

MD5
437fd343fab39a10533bc0b7d5b66ea0

SHA1
1be9e0fdecde98dc305907de9b2fd1664ec8c114

SHA256
3c66c3b1296f68b5ac2437c2aeb3d09db3fc42fcabefc2fe09216aca1f5eaecc

SHA512
2ce3a7188dd0a4819636086e2ef40b87327ae10e19f4c42712deba01d72350b8449381a3d3dd33a94a83b9dd570312f1ccd105c9be7248a0ee254601a8b014f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axla2t24.tpw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
memory/752-140-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/852-188-0x0000000007730000-0x000000000773A000-memory.dmp

Filesize
40KB

Download
memory/852-156-0x0000000073DE0000-0x0000000073E2C000-memory.dmp

Filesize
304KB

Download
memory/852-208-0x00000000079F0000-0x00000000079F8000-memory.dmp

Filesize
32KB

Download
memory/852-180-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/852-181-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/852-191-0x00000000078C0000-0x00000000078D1000-memory.dmp

Filesize
68KB

Download
memory/852-166-0x0000000007570000-0x0000000007614000-memory.dmp

Filesize
656KB

Download
memory/852-155-0x0000000007530000-0x0000000007564000-memory.dmp

Filesize
208KB

Download
memory/852-165-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/852-78-0x00000000733EE000-0x00000000733EF000-memory.dmp

Filesize
4KB

Download
memory/852-204-0x00000000078F0000-0x00000000078FE000-memory.dmp

Filesize
56KB

Download
memory/852-206-0x0000000007900000-0x0000000007915000-memory.dmp

Filesize
84KB

Download
memory/852-190-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/852-143-0x0000000005250000-0x000000000526E000-memory.dmp

Filesize
120KB

Download
memory/852-144-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/852-207-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/2088-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2224-96-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2224-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2224-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-105-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2224-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-100-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2224-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2224-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2224-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2224-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2224-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-75-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2224-102-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2224-74-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2224-103-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2224-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2224-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3068-110-0x00000000005A0000-0x000000000062C000-memory.dmp

Filesize
560KB

Download
memory/3068-142-0x00000000055C0000-0x0000000005B66000-memory.dmp

Filesize
5.6MB

Download
memory/3068-139-0x00000000029D0000-0x00000000029EE000-memory.dmp

Filesize
120KB

Download
memory/3068-132-0x0000000004F70000-0x0000000004FE6000-memory.dmp

Filesize
472KB

Download
memory/3500-138-0x0000000000F80000-0x0000000000FB6000-memory.dmp

Filesize
216KB

Download
memory/3500-141-0x00000000017D0000-0x00000000017D6000-memory.dmp

Filesize
24KB

Download
memory/3984-167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3984-215-0x00000000003A0000-0x00000000003A0000-memory.dmp

Download
memory/4148-150-0x0000000002860000-0x0000000003860000-memory.dmp

Filesize
16.0MB

Download
memory/4148-221-0x000000002DC20000-0x000000002DCB9000-memory.dmp

Filesize
612KB

Download
memory/4148-183-0x000000002DB70000-0x000000002DC1D000-memory.dmp

Filesize
692KB

Download
memory/4148-216-0x0000000002860000-0x0000000003860000-memory.dmp

Filesize
16.0MB

Download
memory/4148-192-0x000000002DC20000-0x000000002DCB9000-memory.dmp

Filesize
612KB

Download
memory/4148-194-0x000000002DC20000-0x000000002DCB9000-memory.dmp

Filesize
612KB

Download
memory/4148-189-0x000000002DC20000-0x000000002DCB9000-memory.dmp

Filesize
612KB

Download
memory/4484-154-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4484-121-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4788-171-0x0000000073DE0000-0x0000000073E2C000-memory.dmp

Filesize
304KB

Download
memory/4788-112-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4788-113-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4788-214-0x00000000733E0000-0x0000000073B91000-memory.dmp

Filesize
7.7MB

Download
memory/4788-76-0x0000000002F90000-0x0000000002FC6000-memory.dmp

Filesize
216KB

Download
memory/4788-77-0x00000000056D0000-0x0000000005CFA000-memory.dmp

Filesize
6.2MB

Download
memory/4788-95-0x00000000733E0000-0x0000000073B91000-memory.dmp

Filesize
7.7MB

Download
memory/4788-133-0x0000000006030000-0x0000000006387000-memory.dmp

Filesize
3.3MB

Download
memory/4788-111-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/4828-199-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4828-201-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/4828-203-0x0000000005070000-0x00000000050AC000-memory.dmp

Filesize
240KB

Download
memory/4828-200-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/4828-202-0x0000000005140000-0x000000000524A000-memory.dmp

Filesize
1.0MB

Download