fabookie | abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe
Size

3.4MB
MD5

efa310ffcb46aa3768de9aae3a8fdcda
SHA1

fc57edeadc23e53610eb75881fc7d2cecc847387
SHA256

abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SHA512

22578db72219ab2d80876d025475d74ec05db4a575d0b5c890033bb7cda9bcbf648217e6d140388643280802566b4fc4c77cd78f01d9d3f28b5594c2e406432d
SSDEEP

98304:JDxSfQksG3P/rm5AUfWo7lvZTkKXUx5KyChc2tpi:JDkQbCK5Qo7lviyUocypi

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

media11

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

gcleaner

ggg-cl.biz

45.9.20.13

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002362b-100.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/memory/4368-128-0x0000000005BF0000-0x0000000005C14000-memory.dmp	family_redline
behavioral2/memory/4368-129-0x0000000005C70000-0x0000000005C92000-memory.dmp	family_redline
behavioral2/memory/1336-168-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/3284-165-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4368-128-0x0000000005BF0000-0x0000000005C14000-memory.dmp	family_sectoprat
behavioral2/memory/4368-129-0x0000000005C70000-0x0000000005C92000-memory.dmp	family_sectoprat
behavioral2/memory/1336-168-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral2/memory/3284-165-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/4556-206-0x0000000000400000-0x00000000016E1000-memory.dmp	family_onlylogger
behavioral2/memory/4556-209-0x0000000000400000-0x00000000016E1000-memory.dmp	family_onlylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
125	3956	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4760	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000016844-54.dat	aspack_v212_v242
behavioral2/files/0x0007000000023622-62.dat	aspack_v212_v242
behavioral2/files/0x00050000000004e7-61.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	09xU.exE
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Mon17e1fac3fd3d84b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 18 IoCs

pid	Process
1356	setup_installer.exe
4344	setup_install.exe
4036	Mon17742f90b916675f2.exe
1032	Mon17b5f403be4d8d6b.exe
4968	Mon17f45359eb9.exe
4556	Mon1785436ae78.exe
4312	Mon17eac6d534bfd22c7.exe
540	Mon17e1fac3fd3d84b.exe
3944	Mon17c604381c7047e.exe
4320	Mon17948100733a95c58.exe
2596	Mon1795d04d4bd.exe
4368	Mon179e1058f256.exe
4728	Mon178817e243.exe
4640	09xU.exE
3284	Mon17948100733a95c58.exe
1336	Mon17eac6d534bfd22c7.exe
2016	e59ca6a.exe
4856	e59f4e5.exe

Loads dropped DLL 9 IoCs

pid	Process
4344	setup_install.exe
4344	setup_install.exe
4344	setup_install.exe
4344	setup_install.exe
4344	setup_install.exe
4344	setup_install.exe
4344	setup_install.exe
4912	rundll32.exe
3956	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
54	pastebin.com
56	pastebin.com
24	iplogger.org
25	iplogger.org
32	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 3284	4320	Mon17948100733a95c58.exe	127
PID 4312 set thread context of 1336	4312	Mon17eac6d534bfd22c7.exe	128

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
2880	4344	WerFault.exe	95
1448	4968	WerFault.exe	114
2484	4556	WerFault.exe	116
4228	4556	WerFault.exe	116
1192	4556	WerFault.exe	116
4888	4556	WerFault.exe	116
3688	4556	WerFault.exe	116
2160	4556	WerFault.exe	116
3988	4556	WerFault.exe	116
1192	4556	WerFault.exe	116
4404	4556	WerFault.exe	116
3476	2016	WerFault.exe	174
3660	4856	WerFault.exe	178
4348	4556	WerFault.exe	116
808	4556	WerFault.exe	116
4740	4556	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e59ca6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e59f4e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17948100733a95c58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17e1fac3fd3d84b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17948100733a95c58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17eac6d534bfd22c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17b5f403be4d8d6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09xU.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17f45359eb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon179e1058f256.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon1785436ae78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17742f90b916675f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon17eac6d534bfd22c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon17f45359eb9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon17f45359eb9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon17f45359eb9.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3840	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4556	Mon1785436ae78.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4728	Mon178817e243.exe
Token: SeDebugPrivilege	2596	Mon1795d04d4bd.exe
Token: SeDebugPrivilege	3840	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 1356	388	abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe	94
PID 388 wrote to memory of 1356	388	abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe	94
PID 388 wrote to memory of 1356	388	abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe	94
PID 1356 wrote to memory of 4344	1356	setup_installer.exe	95
PID 1356 wrote to memory of 4344	1356	setup_installer.exe	95
PID 1356 wrote to memory of 4344	1356	setup_installer.exe	95
PID 4344 wrote to memory of 4552	4344	setup_install.exe	98
PID 4344 wrote to memory of 4552	4344	setup_install.exe	98
PID 4344 wrote to memory of 4552	4344	setup_install.exe	98
PID 4552 wrote to memory of 4760	4552	cmd.exe	99
PID 4552 wrote to memory of 4760	4552	cmd.exe	99
PID 4552 wrote to memory of 4760	4552	cmd.exe	99
PID 4344 wrote to memory of 3976	4344	setup_install.exe	100
PID 4344 wrote to memory of 3976	4344	setup_install.exe	100
PID 4344 wrote to memory of 3976	4344	setup_install.exe	100
PID 4344 wrote to memory of 2188	4344	setup_install.exe	101
PID 4344 wrote to memory of 2188	4344	setup_install.exe	101
PID 4344 wrote to memory of 2188	4344	setup_install.exe	101
PID 4344 wrote to memory of 4732	4344	setup_install.exe	102
PID 4344 wrote to memory of 4732	4344	setup_install.exe	102
PID 4344 wrote to memory of 4732	4344	setup_install.exe	102
PID 4344 wrote to memory of 728	4344	setup_install.exe	103
PID 4344 wrote to memory of 728	4344	setup_install.exe	103
PID 4344 wrote to memory of 728	4344	setup_install.exe	103
PID 4344 wrote to memory of 4340	4344	setup_install.exe	104
PID 4344 wrote to memory of 4340	4344	setup_install.exe	104
PID 4344 wrote to memory of 4340	4344	setup_install.exe	104
PID 4344 wrote to memory of 2432	4344	setup_install.exe	105
PID 4344 wrote to memory of 2432	4344	setup_install.exe	105
PID 4344 wrote to memory of 2432	4344	setup_install.exe	105
PID 4344 wrote to memory of 5048	4344	setup_install.exe	106
PID 4344 wrote to memory of 5048	4344	setup_install.exe	106
PID 4344 wrote to memory of 5048	4344	setup_install.exe	106
PID 4344 wrote to memory of 3660	4344	setup_install.exe	141
PID 4344 wrote to memory of 3660	4344	setup_install.exe	141
PID 4344 wrote to memory of 3660	4344	setup_install.exe	141
PID 4344 wrote to memory of 1932	4344	setup_install.exe	108
PID 4344 wrote to memory of 1932	4344	setup_install.exe	108
PID 4344 wrote to memory of 1932	4344	setup_install.exe	108
PID 4344 wrote to memory of 4156	4344	setup_install.exe	109
PID 4344 wrote to memory of 4156	4344	setup_install.exe	109
PID 4344 wrote to memory of 4156	4344	setup_install.exe	109
PID 4344 wrote to memory of 4780	4344	setup_install.exe	110
PID 4344 wrote to memory of 4780	4344	setup_install.exe	110
PID 4344 wrote to memory of 4780	4344	setup_install.exe	110
PID 3976 wrote to memory of 4036	3976	cmd.exe	112
PID 3976 wrote to memory of 4036	3976	cmd.exe	112
PID 3976 wrote to memory of 4036	3976	cmd.exe	112
PID 4340 wrote to memory of 1032	4340	cmd.exe	113
PID 4340 wrote to memory of 1032	4340	cmd.exe	113
PID 4340 wrote to memory of 1032	4340	cmd.exe	113
PID 2432 wrote to memory of 4968	2432	cmd.exe	114
PID 2432 wrote to memory of 4968	2432	cmd.exe	114
PID 2432 wrote to memory of 4968	2432	cmd.exe	114
PID 5048 wrote to memory of 4556	5048	cmd.exe	116
PID 5048 wrote to memory of 4556	5048	cmd.exe	116
PID 5048 wrote to memory of 4556	5048	cmd.exe	116
PID 4732 wrote to memory of 3944	4732	cmd.exe	115
PID 4732 wrote to memory of 3944	4732	cmd.exe	115
PID 2188 wrote to memory of 4312	2188	cmd.exe	151
PID 2188 wrote to memory of 4312	2188	cmd.exe	151
PID 2188 wrote to memory of 4312	2188	cmd.exe	151
PID 1932 wrote to memory of 4368	1932	cmd.exe	119
PID 1932 wrote to memory of 4368	1932	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe
"C:\Users\Admin\AppData\Local\Temp\abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17742f90b916675f2.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17742f90b916675f2.exe
        
        Mon17742f90b916675f2.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17eac6d534bfd22c7.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17eac6d534bfd22c7.exe
        
        Mon17eac6d534bfd22c7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17eac6d534bfd22c7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17eac6d534bfd22c7.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17c604381c7047e.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17c604381c7047e.exe
        
        Mon17c604381c7047e.exe
        5⤵
        Executes dropped EXE
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17e1fac3fd3d84b.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:728
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17e1fac3fd3d84b.exe
        
        Mon17e1fac3fd3d84b.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17e1fac3fd3d84b.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17e1fac3fd3d84b.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17e1fac3fd3d84b.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17e1fac3fd3d84b.exe") do taskkill /F -Im "%~NxU"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        13⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        14⤵
        Blocklisted process makes network request
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\e59ca6a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e59ca6a.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 780
        16⤵
        Program crash
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\e59f4e5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e59f4e5.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 792
        14⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Mon17e1fac3fd3d84b.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17b5f403be4d8d6b.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17b5f403be4d8d6b.exe
        
        Mon17b5f403be4d8d6b.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17f45359eb9.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17f45359eb9.exe
        
        Mon17f45359eb9.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:4968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 356
        6⤵
        Program crash
        
        PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon1785436ae78.exe /mixone
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon1785436ae78.exe
        
        Mon1785436ae78.exe /mixone
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 628
        6⤵
        Program crash
        
        PID:2484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 456
        6⤵
        Program crash
        
        PID:4228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 788
        6⤵
        Program crash
        
        PID:1192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 808
        6⤵
        Program crash
        
        PID:4888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 772
        6⤵
        Program crash
        
        PID:3688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 896
        6⤵
        Program crash
        
        PID:2160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1048
        6⤵
        Program crash
        
        PID:3988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1056
        6⤵
        Program crash
        
        PID:1192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1340
        6⤵
        Program crash
        
        PID:4404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1360
        6⤵
        Program crash
        
        PID:4348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 828
        6⤵
        Program crash
        
        PID:808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 800
        6⤵
        Program crash
        
        PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17948100733a95c58.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17948100733a95c58.exe
        
        Mon17948100733a95c58.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17948100733a95c58.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17948100733a95c58.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon179e1058f256.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon179e1058f256.exe
        
        Mon179e1058f256.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon1795d04d4bd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon1795d04d4bd.exe
        
        Mon1795d04d4bd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon178817e243.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon178817e243.exe
        
        Mon178817e243.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 580
      4⤵
      Program crash
      PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4344 -ip 4344
1⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4968 -ip 4968
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4556 -ip 4556
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4556 -ip 4556
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4556 -ip 4556
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4556 -ip 4556
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4556 -ip 4556
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4556 -ip 4556
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4556 -ip 4556
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4556 -ip 4556
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
1⤵
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2016 -ip 2016
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4856 -ip 4856
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4556 -ip 4556
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4556 -ip 4556
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon17948100733a95c58.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2

Filesize
474KB

MD5
4bf3493517977a637789c23464a58e06

SHA1
519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4

SHA256
ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831

SHA512
4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501

Download Submit
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0

Filesize
126KB

MD5
6c83f0423cd52d999b9ad47b78ba0c6a

SHA1
1f32cbf5fdaca123d32012cbc8cb4165e1474a04

SHA256
4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae

SHA512
e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17742f90b916675f2.exe

Filesize
89KB

MD5
37a1c118196892aa451573a142ea05d5

SHA1
4144c1a571a585fef847da516be8d89da4c8771e

SHA256
a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a

SHA512
aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon1785436ae78.exe

Filesize
438KB

MD5
0fc8ba6de4099ddc991eade9b86a6f06

SHA1
7b723301027c1c6979561bc60b2be47d481c7c17

SHA256
c0658b1c3245fdf7c34d69afd2962131243c6b615f53b0a0c85635ddbc15497a

SHA512
8c1ee3032cae73f91d162f37daeaec265e2478495df90626737c48fc523ff8e3383ba6cf5ddfafab24ecf134a816ca167ac3a9535ccfd3059e8374c6a27c17df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon178817e243.exe

Filesize
8KB

MD5
c213a2444632ffdf0425e0288bca48b9

SHA1
cd4985866907bdd1f61ac637eee7323e624d053f

SHA256
5565c7f24d0dad9c8b874603cd5386efd81e7ff252706ac150b20f0c2fd9add7

SHA512
692afbdd4c5b20924a10446a045eabae6e076b8711321a9def9a5640a5384db8e257cbb3533143c1046b77c58715c6c48d5827804c8e80c983ff16e7b9c9c395

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17948100733a95c58.exe

Filesize
422KB

MD5
b6b87e674629a0f112cb1283b0322ccb

SHA1
f35f95a13c24d07460d7a4c14d20d27b2e202539

SHA256
64bd25466e41df79bbf715e4e068829f58cab364283ab1d0baaebf957c836899

SHA512
d5704d375ce6578b7b4c83fe5b8778ae0d8c596ed5adb533a4ca42a1f05fdf40fc0c90d3e6e10c0ad738ee1e3f6d7264e64826401b7321fc46b4df32eac45079

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon1795d04d4bd.exe

Filesize
62KB

MD5
d082843d4e999ea9bbf4d89ee0dc1886

SHA1
4e2117961f8dac71dde658a457fb6a56d5a6f1aa

SHA256
0f3822efa9fa3fcb532a043df68175865eca68a2805b1415d0d89de69a49628b

SHA512
b51811d489636b6266131452f7cb0bf294d855f1baaa078894051cd19169c2b3e4496e46026c2b2b375f979619e4f8d2f939f05fc9e8fc888a836c01586db2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon179e1058f256.exe

Filesize
429KB

MD5
ecc773623762e2e326d7683a9758491b

SHA1
ad186c867976dc5909843418853d54d4065c24ba

SHA256
8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838

SHA512
40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17b5f403be4d8d6b.exe

Filesize
402KB

MD5
06ee576f9fdc477c6a91f27e56339792

SHA1
4302b67c8546d128f3e0ab830df53652f36f4bb0

SHA256
035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8

SHA512
e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17c604381c7047e.exe

Filesize
1.4MB

MD5
f3b4ee77d66819821e9921b61f969bae

SHA1
4615610c80ff5d2e251d0d91abbe623acfa74f7c

SHA256
dd2ff55cf7f143254e8478619014bc083e65dd48ef2329e45d39fe65d5e5cc73

SHA512
58ded47d2bcd88d6f79d35f7406bfcf22b889b52e6f293c12201de5ceb834d3905472d9c384b469bb42de74e3eab429a39918b3368107002c1f4abc252328d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17e1fac3fd3d84b.exe

Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17eac6d534bfd22c7.exe

Filesize
432KB

MD5
5721981400faf8edb9cb2fa1e71404a2

SHA1
7c753bafd9ac4a8c8f8507b616ee7d614494c475

SHA256
15d244ba6413c14e9e0e72b8ae123ca49812b15398208e4aab1422160da75e0f

SHA512
4f4e36ef1ee116681b780fe4e71f97215797df55e51e3818d7b7495f284723fcffd233fc01a66863573c2ad70b77821ef0880a3b58b300c5233d5a636b019c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\Mon17f45359eb9.exe

Filesize
340KB

MD5
be60d71b303f2aae5618315147c7d3f9

SHA1
3193aa204c2cf5a82ac532ab9fd436acad7953c1

SHA256
e4ba726fbd2c56cd2426ba04823637264be89a9807a935d0939dc1578bdd951e

SHA512
2c15b655b0cc12eb7bd5329a922dbdba6f226748f45d03c777980cce79a841c28a1d9dc1283d0a5c361e4ebd537f2ba4c1b44f59d3a5faf132eae48f1f884a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4540A58\setup_install.exe

Filesize
2.1MB

MD5
33d05f6171d18f49edd9c5b1bc5b8c72

SHA1
dc5ceb79b3e91225ef363ee9baf9a32877bd1fe9

SHA256
299d4afc166f5aabfdd48c1477bac071e3be9126756fc7e57925aa49f8d9cf85

SHA512
edae7bfd931b06d2725ed88ac6e14ad800df8a867fe29cfd76832b44546e9c562fd428c802e9050df8c9a56e87a4ee3862b4488a8143a99b18e6c56988cc7935

Download Submit
C:\Users\Admin\AppData\Local\Temp\R6f7sE.I

Filesize
1.3MB

MD5
bd3523387b577979a0d86ff911f97f8b

SHA1
1f90298142a27ec55118317ee63609664bcecb45

SHA256
a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36

SHA512
b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gdcdb3u.5he.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e59ca6a.exe

Filesize
9KB

MD5
a014b8961283f1e07d7f31ecdd7db62f

SHA1
70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065

SHA256
21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89

SHA512
bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh

Filesize
231KB

MD5
973c9cf42285ae79a7a0766a1e70def4

SHA1
4ab15952cbc69555102f42e290ae87d1d778c418

SHA256
7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968

SHA512
1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.4MB

MD5
264fbe02a8acae2ba9a5144f8b947aae

SHA1
3de9e174bb8105895c3ef65fe49233cbb34b8778

SHA256
ab3f08d6cfe4107ef0a285ce7862846169ec0e0f942b146e27e90919e48f9e24

SHA512
11e0a03eb5004159a1c7dc84bb52caa7394740b87e375ce2be0701bd8b12445af01ee22ac7f9c91516b53cfca7e13619623524122d489e34946038732a2fe067

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1

Filesize
486KB

MD5
7b25b2318e896fa8f9a99f635c146c9b

SHA1
10f39c3edb37b848974da0f9c1a5baa7d7f28ee2

SHA256
723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89

SHA512
a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6

Download Submit
memory/1336-168-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2016-269-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2596-121-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/2596-116-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/3284-165-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3956-239-0x0000000004300000-0x000000000438B000-memory.dmp

Filesize
556KB

Download
memory/3956-240-0x0000000004390000-0x0000000004417000-memory.dmp

Filesize
540KB

Download
memory/3956-226-0x0000000003510000-0x00000000035A2000-memory.dmp

Filesize
584KB

Download
memory/3956-223-0x0000000003510000-0x00000000035A2000-memory.dmp

Filesize
584KB

Download
memory/3956-222-0x0000000003460000-0x0000000003505000-memory.dmp

Filesize
660KB

Download
memory/3956-237-0x0000000003510000-0x00000000035A2000-memory.dmp

Filesize
584KB

Download
memory/3956-238-0x00000000035B0000-0x00000000042F1000-memory.dmp

Filesize
13.3MB

Download
memory/3956-229-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3956-245-0x0000000000D00000-0x0000000000D05000-memory.dmp

Filesize
20KB

Download
memory/3956-244-0x0000000000CF0000-0x0000000000CF3000-memory.dmp

Filesize
12KB

Download
memory/3956-243-0x0000000004390000-0x0000000004417000-memory.dmp

Filesize
540KB

Download
memory/4312-125-0x00000000007D0000-0x0000000000842000-memory.dmp

Filesize
456KB

Download
memory/4320-127-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/4320-126-0x0000000004910000-0x000000000492E000-memory.dmp

Filesize
120KB

Download
memory/4320-124-0x0000000004930000-0x00000000049A6000-memory.dmp

Filesize
472KB

Download
memory/4320-123-0x0000000000210000-0x0000000000280000-memory.dmp

Filesize
448KB

Download
memory/4344-67-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/4344-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4344-134-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4344-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4344-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4344-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4344-68-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/4344-141-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4344-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4344-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4344-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4344-138-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4344-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4344-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4344-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4344-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4344-140-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4344-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4344-69-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4344-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4344-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4368-130-0x0000000006360000-0x0000000006978000-memory.dmp

Filesize
6.1MB

Download
memory/4368-129-0x0000000005C70000-0x0000000005C92000-memory.dmp

Filesize
136KB

Download
memory/4368-131-0x0000000005D30000-0x0000000005D42000-memory.dmp

Filesize
72KB

Download
memory/4368-207-0x0000000000400000-0x00000000016E0000-memory.dmp

Filesize
18.9MB

Download
memory/4368-128-0x0000000005BF0000-0x0000000005C14000-memory.dmp

Filesize
144KB

Download
memory/4368-133-0x0000000005D50000-0x0000000005D8C000-memory.dmp

Filesize
240KB

Download
memory/4368-144-0x0000000006AC0000-0x0000000006B0C000-memory.dmp

Filesize
304KB

Download
memory/4368-132-0x0000000006980000-0x0000000006A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4556-209-0x0000000000400000-0x00000000016E1000-memory.dmp

Filesize
18.9MB

Download
memory/4556-206-0x0000000000400000-0x00000000016E1000-memory.dmp

Filesize
18.9MB

Download
memory/4728-120-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/4760-152-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/4760-102-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/4760-193-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

Filesize
56KB

Download
memory/4760-196-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

Filesize
104KB

Download
memory/4760-198-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

Filesize
32KB

Download
memory/4760-145-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/4760-91-0x00000000052C0000-0x00000000052F6000-memory.dmp

Filesize
216KB

Download
memory/4760-92-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/4760-185-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

Filesize
68KB

Download
memory/4760-184-0x0000000007E20000-0x0000000007EB6000-memory.dmp

Filesize
600KB

Download
memory/4760-122-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/4760-175-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/4760-153-0x000000006F3A0000-0x000000006F3EC000-memory.dmp

Filesize
304KB

Download
memory/4760-194-0x0000000007DF0000-0x0000000007E04000-memory.dmp

Filesize
80KB

Download
memory/4760-101-0x0000000006100000-0x0000000006122000-memory.dmp

Filesize
136KB

Download
memory/4760-163-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/4760-174-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/4760-173-0x0000000008240000-0x00000000088BA000-memory.dmp

Filesize
6.5MB

Download
memory/4760-164-0x0000000007B10000-0x0000000007BB3000-memory.dmp

Filesize
652KB

Download
memory/4760-103-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/4912-217-0x0000000003FF0000-0x0000000004077000-memory.dmp

Filesize
540KB

Download
memory/4912-216-0x0000000003F60000-0x0000000003FEB000-memory.dmp

Filesize
556KB

Download
memory/4912-215-0x0000000003210000-0x0000000003F51000-memory.dmp

Filesize
13.3MB

Download
memory/4912-214-0x0000000003170000-0x0000000003202000-memory.dmp

Filesize
584KB

Download
memory/4912-208-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4912-202-0x0000000003170000-0x0000000003202000-memory.dmp

Filesize
584KB

Download
memory/4912-205-0x0000000003170000-0x0000000003202000-memory.dmp

Filesize
584KB

Download
memory/4912-201-0x00000000030C0000-0x0000000003165000-memory.dmp

Filesize
660KB

Download
memory/4968-146-0x0000000000400000-0x00000000016C8000-memory.dmp

Filesize
18.8MB

Download