fabookie | 669ae7546f43d4f4c06680ccf97908e524ad1ccd818d13e2cc8460619ce753a3

Analysis

max time kernel
61s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

6.0MB
MD5

cb6ea932807f63821715e87a32d96ba6
SHA1

cc2fb753d385683d6f972adab5b3148ca30d75c9
SHA256

aa401b09d4b6ec37c7159a9b025500993642573bc32b1e78aaea25c2fe168c57
SHA512

acc3a31e1753e3185674f57c870a410e9ca6aa139fd43384845ebd51cacebb682e1a70a65acb170859b71f7562b9717d2fca8c192dfc366fcf16d9477dc4d065
SSDEEP

98304:xXCvLUBsgXkIzHTp32FUbhKMr7+dbQQ9bCGJjK6f9SIoYg8FDJHgiCSdUs+ZRjWy:xULUCgUuHTsFUbrwzm6M1x81tLdUlPWy

Score

10^/10

fabookie nullmixer redline socelars vidar 915 media14n v2user1 aspackv2 discovery dropper execution infostealer spyware stealer

Malware Config

Extracted

Family

socelars

http://www.yarchworkshop.com/

Extracted

Family

redline

Botnet

v2user1

159.69.246.184:13127

Attributes

auth_value
0cd1ad671efa88aa6b92a97334b72134

Extracted

Family

redline

Botnet

media14n

65.108.69.168:13293

Attributes

auth_value
db1bd9b56a9c8bae94bb9c3ceead1829

Extracted

Family

vidar

Version

49.1

Botnet

915

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes

profile_id
915

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b8a-115.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/memory/4520-215-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral4/memory/2036-233-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b86-123.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral4/files/0x000a000000023b8a-115.dat	Nirsoft
behavioral4/memory/3516-201-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral4/files/0x000b000000023b7c-200.dat	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral4/files/0x000a000000023b8a-115.dat	WebBrowserPassView

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral4/memory/3268-318-0x0000000000400000-0x0000000000892000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
2968	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000a000000023b7a-61.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b77-55.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b78-52.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Wed158c4d832483dca5.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Wed15462d0908875cc7.exe

Executes dropped EXE 23 IoCs

pid	Process
2796	setup_install.exe
1684	Wed15ada196cda5299.exe
5032	Wed1585cf7372.exe
2460	Wed15b1f483121d7.exe
1048	Wed151063a67e4fb25.exe
2472	Wed15cf9217ee25.exe
4476	Wed156eff953b0ec.exe
928	Wed15a496b9738c79.exe
1212	Wed158c4d832483dca5.exe
1608	Wed1541b8f98f.exe
2432	Wed15348d008c3887.exe
5008	Wed15b688725f14e50ec.exe
3268	Wed15df05b995.exe
1920	Wed15293e7a1888b.exe
2476	Wed15462d0908875cc7.exe
1696	Wed158c4d832483dca5.tmp
4708	Wed156eff953b0ec.tmp
4852	Wed15b1f483121d7.exe
3260	Wed158c4d832483dca5.exe
3516	11111.exe
1340	Wed158c4d832483dca5.tmp
4520	Wed1541b8f98f.exe
2036	Wed15b1f483121d7.exe

Loads dropped DLL 14 IoCs

pid	Process
2796	setup_install.exe
2796	setup_install.exe
2796	setup_install.exe
2796	setup_install.exe
2796	setup_install.exe
2796	setup_install.exe
2796	setup_install.exe
4708	Wed156eff953b0ec.tmp
1696	Wed158c4d832483dca5.tmp
1340	Wed158c4d832483dca5.tmp
3948	rundll32.exe
3948	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	Wed15a496b9738c79.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
143	iplogger.org
172	iplogger.org
83	iplogger.org
87	iplogger.org
114	iplogger.org
134	iplogger.org
160	iplogger.org
8	iplogger.org
121	iplogger.org
124	iplogger.org
157	iplogger.org
165	iplogger.org
72	iplogger.org
96	iplogger.org
109	iplogger.org
151	iplogger.org
54	iplogger.org
103	iplogger.org
148	iplogger.org
154	iplogger.org
15	iplogger.org
24	iplogger.org
9	iplogger.org
63	iplogger.org
93	iplogger.org
137	iplogger.org
140	iplogger.org
36	iplogger.org
57	iplogger.org
90	iplogger.org
130	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 4520	1608	Wed1541b8f98f.exe	126
PID 2460 set thread context of 2036	2460	Wed15b1f483121d7.exe	128

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4596	1920	WerFault.exe	119
2484	1684	WerFault.exe	107
2536	3268	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed1541b8f98f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15df05b995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed1541b8f98f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15a496b9738c79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15348d008c3887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b1f483121d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15ada196cda5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b1f483121d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed156eff953b0ec.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b688725f14e50ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15293e7a1888b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15462d0908875cc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15cf9217ee25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed156eff953b0ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed15ada196cda5299.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed15ada196cda5299.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed15ada196cda5299.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3184	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	Wed15462d0908875cc7.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5052	powershell.exe
5052	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
5052	powershell.exe
5052	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	Wed1585cf7372.exe
Token: SeDebugPrivilege	2460	Wed15b1f483121d7.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeCreateTokenPrivilege	928	Wed15a496b9738c79.exe
Token: SeAssignPrimaryTokenPrivilege	928	Wed15a496b9738c79.exe
Token: SeLockMemoryPrivilege	928	Wed15a496b9738c79.exe
Token: SeIncreaseQuotaPrivilege	928	Wed15a496b9738c79.exe
Token: SeMachineAccountPrivilege	928	Wed15a496b9738c79.exe
Token: SeTcbPrivilege	928	Wed15a496b9738c79.exe
Token: SeSecurityPrivilege	928	Wed15a496b9738c79.exe
Token: SeTakeOwnershipPrivilege	928	Wed15a496b9738c79.exe
Token: SeLoadDriverPrivilege	928	Wed15a496b9738c79.exe
Token: SeSystemProfilePrivilege	928	Wed15a496b9738c79.exe
Token: SeSystemtimePrivilege	928	Wed15a496b9738c79.exe
Token: SeProfSingleProcessPrivilege	928	Wed15a496b9738c79.exe
Token: SeIncBasePriorityPrivilege	928	Wed15a496b9738c79.exe
Token: SeCreatePagefilePrivilege	928	Wed15a496b9738c79.exe
Token: SeCreatePermanentPrivilege	928	Wed15a496b9738c79.exe
Token: SeBackupPrivilege	928	Wed15a496b9738c79.exe
Token: SeRestorePrivilege	928	Wed15a496b9738c79.exe
Token: SeShutdownPrivilege	928	Wed15a496b9738c79.exe
Token: SeDebugPrivilege	928	Wed15a496b9738c79.exe
Token: SeAuditPrivilege	928	Wed15a496b9738c79.exe
Token: SeSystemEnvironmentPrivilege	928	Wed15a496b9738c79.exe
Token: SeChangeNotifyPrivilege	928	Wed15a496b9738c79.exe
Token: SeRemoteShutdownPrivilege	928	Wed15a496b9738c79.exe
Token: SeUndockPrivilege	928	Wed15a496b9738c79.exe
Token: SeSyncAgentPrivilege	928	Wed15a496b9738c79.exe
Token: SeEnableDelegationPrivilege	928	Wed15a496b9738c79.exe
Token: SeManageVolumePrivilege	928	Wed15a496b9738c79.exe
Token: SeImpersonatePrivilege	928	Wed15a496b9738c79.exe
Token: SeCreateGlobalPrivilege	928	Wed15a496b9738c79.exe
Token: 31	928	Wed15a496b9738c79.exe
Token: 32	928	Wed15a496b9738c79.exe
Token: 33	928	Wed15a496b9738c79.exe
Token: 34	928	Wed15a496b9738c79.exe
Token: 35	928	Wed15a496b9738c79.exe
Token: SeDebugPrivilege	1608	Wed1541b8f98f.exe
Token: SeDebugPrivilege	1048	Wed151063a67e4fb25.exe
Token: SeDebugPrivilege	3184	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 2796	4024	setup_installer.exe	85
PID 4024 wrote to memory of 2796	4024	setup_installer.exe	85
PID 4024 wrote to memory of 2796	4024	setup_installer.exe	85
PID 2796 wrote to memory of 3916	2796	setup_install.exe	88
PID 2796 wrote to memory of 3916	2796	setup_install.exe	88
PID 2796 wrote to memory of 3916	2796	setup_install.exe	88
PID 2796 wrote to memory of 2668	2796	setup_install.exe	89
PID 2796 wrote to memory of 2668	2796	setup_install.exe	89
PID 2796 wrote to memory of 2668	2796	setup_install.exe	89
PID 2668 wrote to memory of 5052	2668	cmd.exe	91
PID 2668 wrote to memory of 5052	2668	cmd.exe	91
PID 2668 wrote to memory of 5052	2668	cmd.exe	91
PID 3916 wrote to memory of 2968	3916	cmd.exe	90
PID 3916 wrote to memory of 2968	3916	cmd.exe	90
PID 3916 wrote to memory of 2968	3916	cmd.exe	90
PID 2796 wrote to memory of 540	2796	setup_install.exe	92
PID 2796 wrote to memory of 540	2796	setup_install.exe	92
PID 2796 wrote to memory of 540	2796	setup_install.exe	92
PID 2796 wrote to memory of 1144	2796	setup_install.exe	93
PID 2796 wrote to memory of 1144	2796	setup_install.exe	93
PID 2796 wrote to memory of 1144	2796	setup_install.exe	93
PID 2796 wrote to memory of 1020	2796	setup_install.exe	94
PID 2796 wrote to memory of 1020	2796	setup_install.exe	94
PID 2796 wrote to memory of 1020	2796	setup_install.exe	94
PID 2796 wrote to memory of 3384	2796	setup_install.exe	95
PID 2796 wrote to memory of 3384	2796	setup_install.exe	95
PID 2796 wrote to memory of 3384	2796	setup_install.exe	95
PID 2796 wrote to memory of 1756	2796	setup_install.exe	96
PID 2796 wrote to memory of 1756	2796	setup_install.exe	96
PID 2796 wrote to memory of 1756	2796	setup_install.exe	96
PID 2796 wrote to memory of 4564	2796	setup_install.exe	97
PID 2796 wrote to memory of 4564	2796	setup_install.exe	97
PID 2796 wrote to memory of 4564	2796	setup_install.exe	97
PID 2796 wrote to memory of 3032	2796	setup_install.exe	98
PID 2796 wrote to memory of 3032	2796	setup_install.exe	98
PID 2796 wrote to memory of 3032	2796	setup_install.exe	98
PID 2796 wrote to memory of 4724	2796	setup_install.exe	99
PID 2796 wrote to memory of 4724	2796	setup_install.exe	99
PID 2796 wrote to memory of 4724	2796	setup_install.exe	99
PID 2796 wrote to memory of 864	2796	setup_install.exe	100
PID 2796 wrote to memory of 864	2796	setup_install.exe	100
PID 2796 wrote to memory of 864	2796	setup_install.exe	100
PID 2796 wrote to memory of 1552	2796	setup_install.exe	101
PID 2796 wrote to memory of 1552	2796	setup_install.exe	101
PID 2796 wrote to memory of 1552	2796	setup_install.exe	101
PID 2796 wrote to memory of 3588	2796	setup_install.exe	102
PID 2796 wrote to memory of 3588	2796	setup_install.exe	102
PID 2796 wrote to memory of 3588	2796	setup_install.exe	102
PID 2796 wrote to memory of 404	2796	setup_install.exe	103
PID 2796 wrote to memory of 404	2796	setup_install.exe	103
PID 2796 wrote to memory of 404	2796	setup_install.exe	103
PID 2796 wrote to memory of 660	2796	setup_install.exe	104
PID 2796 wrote to memory of 660	2796	setup_install.exe	104
PID 2796 wrote to memory of 660	2796	setup_install.exe	104
PID 2796 wrote to memory of 636	2796	setup_install.exe	105
PID 2796 wrote to memory of 636	2796	setup_install.exe	105
PID 2796 wrote to memory of 636	2796	setup_install.exe	105
PID 2796 wrote to memory of 868	2796	setup_install.exe	106
PID 2796 wrote to memory of 868	2796	setup_install.exe	106
PID 2796 wrote to memory of 868	2796	setup_install.exe	106
PID 540 wrote to memory of 1684	540	cmd.exe	107
PID 540 wrote to memory of 1684	540	cmd.exe	107
PID 540 wrote to memory of 1684	540	cmd.exe	107
PID 1552 wrote to memory of 2460	1552	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15ada196cda5299.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15ada196cda5299.exe
      Wed15ada196cda5299.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:1684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 356
        5⤵
        Program crash
        
        PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed150fa420cf1b07ced.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed151063a67e4fb25.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed151063a67e4fb25.exe
      Wed151063a67e4fb25.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15348d008c3887.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15348d008c3887.exe
      Wed15348d008c3887.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15cf9217ee25.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15cf9217ee25.exe
      Wed15cf9217ee25.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15462d0908875cc7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15462d0908875cc7.exe
      Wed15462d0908875cc7.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2476
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        7⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed158c4d832483dca5.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed158c4d832483dca5.exe
      Wed158c4d832483dca5.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\is-IHIOB.tmp\Wed158c4d832483dca5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IHIOB.tmp\Wed158c4d832483dca5.tmp" /SL5="$6006E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed158c4d832483dca5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed158c4d832483dca5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed158c4d832483dca5.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\is-E6BA7.tmp\Wed158c4d832483dca5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E6BA7.tmp\Wed158c4d832483dca5.tmp" /SL5="$70050,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed158c4d832483dca5.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15293e7a1888b.exe /mixtwo
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15293e7a1888b.exe
      Wed15293e7a1888b.exe /mixtwo
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 408
        5⤵
        Program crash
        
        PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed156eff953b0ec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed156eff953b0ec.exe
      Wed156eff953b0ec.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\is-D1QJD.tmp\Wed156eff953b0ec.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D1QJD.tmp\Wed156eff953b0ec.tmp" /SL5="$501E4,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed156eff953b0ec.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15b1f483121d7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b1f483121d7.exe
      Wed15b1f483121d7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b1f483121d7.exe
        5⤵
        Executes dropped EXE
        
        PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b1f483121d7.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15a496b9738c79.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15a496b9738c79.exe
      Wed15a496b9738c79.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        
        PID:4828
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6554cc40,0x7ffd6554cc4c,0x7ffd6554cc58
        6⤵
        
        PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed1541b8f98f.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed1541b8f98f.exe
      Wed1541b8f98f.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed1541b8f98f.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed1541b8f98f.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15df05b995.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15df05b995.exe
      Wed15df05b995.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 932
        5⤵
        Program crash
        
        PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed1585cf7372.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed1585cf7372.exe
      Wed1585cf7372.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed15b688725f14e50ec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b688725f14e50ec.exe
      Wed15b688725f14e50ec.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 1920
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1684 -ip 1684
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3268 -ip 3268
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
6d23e0e856bc6128301842b08f4401da

SHA1
82fc877100f3ff15311f4201189b35656972c35b

SHA256
d644b33d0c929d38c5d2534eaba830938508ef404bf112c7db1421d65998f2ac

SHA512
32bf7f0b6f55676fdac81f980764313de6bdf7a073bd1b7f041ee4d95df28588298e7dba18998ddf1be69cb37ff4cd83cc2c9872a670187ae75828a8b2010a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
cb17469f345ce2728f03101b8e70b391

SHA1
2f2a5c92259807c05cea0d0e5f8a4fd95cab816a

SHA256
0cf223052528667d5567f6cdf5b7c5594152c6dde1487abeae313e551a9dc8e1

SHA512
59d2c31ac2bfa1bb68944e1f3b3b044b62b3410026064e3ef96f2bd58e601cc0d233e4538dad67d033a43554ce5102686bdacc844de899d66f30b0717abe129b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3a5dd331a016fd2d9189b7659096b187

SHA1
754391c787dfbf8f2e11efc88d0a2f5458e5c8e7

SHA256
5a44d366e28eee1a4be63f50f039478671e38f3296c0879967753222c3b0645d

SHA512
e06d79c84ff27a55ee84a87d1d77046ce0b478d7bed9cd2a35d09d8a8518ecaff5b6d61290ad96e13bb821c1c56d28e71eed9678ec1bff1a56b2ade000c1d76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
311KB

MD5
cc0d6b6813f92dbf5be3ecacf44d662a

SHA1
b968c57a14ddada4128356f6e39fb66c6d864d3f

SHA256
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498

SHA512
4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed150fa420cf1b07ced.exe

Filesize
120KB

MD5
dcde74f81ad6361c53ebdc164879a25c

SHA1
640f7b475864bd266edba226e86672101bf6f5c9

SHA256
cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b

SHA512
821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed151063a67e4fb25.exe

Filesize
151KB

MD5
3b31cac552dc741631b567493f238a2f

SHA1
d92c09126462846d41365a0180a1572a4b5838e0

SHA256
f593c276fffb9961b488a71f33b2675ac50331f704020f7017bd0bf4b469079c

SHA512
631bcb3ecdf59daf9b3c007844928302bb837c16f9df04a419a7aed57bd73a809febab69c0ea412216fc7d666e59a94c1e85432a059152d26f29a91c63ebfe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15293e7a1888b.exe

Filesize
1.1MB

MD5
aa75aa3f07c593b1cd7441f7d8723e14

SHA1
f8e9190ccb6b36474c63ed65a74629ad490f2620

SHA256
af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

SHA512
b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15348d008c3887.exe

Filesize
147KB

MD5
c709426184c7d412e0770fdcece52c60

SHA1
ba5caaa72a7f1338815a6f61767fbbcda3f61e52

SHA256
279d55e004ded5923888a2a5bf2e9e8295fa669a436e426396734def04565ea4

SHA512
7f5310126428128851249ce07f08c9d9410274eda04fbe4d8d5a0e4d6256f3fee96846fa0d3ce1206ce1c592c1b87d47bbd0083a47bd1a0726ea80c9804803f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed1541b8f98f.exe

Filesize
532KB

MD5
43e459f57576305386c2a225bfc0c207

SHA1
13511d3f0d41fe28981961f87c3c29dc1aa46a70

SHA256
fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787

SHA512
33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15462d0908875cc7.exe

Filesize
1.8MB

MD5
ed6bba126cb98da82d5160f44c487147

SHA1
1bc0a3d09fed8a322e0e3f9399ac8efb0a556e34

SHA256
78fa012b9e7b197a0905215d0400d563524b975533c63befaf24644bab5af4c1

SHA512
e94e08bf9ff8c790fc63ac0b395736c6876b938aa3622f371cdbe7e43f67ad1baecad9680ed777a90f5d2c71eace477a63c753f47e1088afbd78fd17693ad881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed156eff953b0ec.exe

Filesize
381KB

MD5
0295436778d0d530c12a4f2576f9717f

SHA1
fc712556f67fc2ac6eef59db2783d0c4d5e45068

SHA256
8bfd2ae9f340057c1ba4c042215ccc3a461ea24277f2a77e23d915ceb495910a

SHA512
b05f7901cde3c772694a959d040eda981f67c6355611729deb3251feac60621122f0558b2ca36f9e2c6425d92b406f331267b75d4b42597f07e94825ffbfc2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed1585cf7372.exe

Filesize
8KB

MD5
7e32ef0bd7899fa465bb0bc866b21560

SHA1
115d09eeaff6bae686263d57b6069dd41f63c80c

SHA256
f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad

SHA512
9fbf4afc7a03460cd56f2456684108ccce9cfc8d31361bb49dd0531fa82b6b002450ab3c4c7f3d96f1dc55761615465828b1c33702d23d59fabe155a9db1b5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed158c4d832483dca5.exe

Filesize
1.5MB

MD5
204801e838e4a29f8270ab0ed7626555

SHA1
6ff2c20dc096eefa8084c97c30d95299880862b0

SHA256
13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a

SHA512
008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15a496b9738c79.exe

Filesize
1.4MB

MD5
367c574185ea01ac2ba69a1c8856ad57

SHA1
0b9b5af1ce8dce38937357f47e2817d85a6aba61

SHA256
18a630270e0ab33eccfb304269b4fa5bcefa565a1dbe3bd04f3f2a269646f5e9

SHA512
7862ad92b670e7193f266473c59166a6a9081ad28c66d328521aa288ad3ab92d9b98563b0fb768442706692224a69965d697b75dc974c73be934b5fd32f80a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15ada196cda5299.exe

Filesize
166KB

MD5
da9161800860fe7026a467b0974f7616

SHA1
e53ee1e2fdfcf777d7f5b3c47111c85edeee4c5a

SHA256
6a4a2c3368555340d852697a2fc56d9c98164b93e4101803466f8b6cbe68762d

SHA512
460508b701e610404567285c020a819926319d0564c1180371922972ead9568849fe2bf2192dd28f09706cad27a0bb5d93bb08bab70d87ff55c70e51920fa7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b1f483121d7.exe

Filesize
532KB

MD5
394452dc2bb66b83e6763fc1542b2a87

SHA1
74b3fb5bf64f4eb3fc59152330befef67f5464c2

SHA256
037bed7bce597aec4c2320e48715ab3a387d10e1ecad7a494bc72ebd60168794

SHA512
b5f4405a672df81d4e5155247bbd5522f15b534c6edd2892fc4c9032ae3d8c42d6e239ca52f604f84fdad993e7deeff4613938403cb829b60e610f683a40ea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15b688725f14e50ec.exe

Filesize
147KB

MD5
fb6abbe70588dd2b3fb91161410f2805

SHA1
193085164a8d2caa9e1e4e6d619be6481b5623b9

SHA256
9283fb214b006f9e2fd49fe21798a44ae5663566b1b2b08b448db7bdda996859

SHA512
9f2e7045982e61efeb4b3ec5523b0cc63d096166fcb02ea1d66fcdbf0f2fbec575baa381f7727c9222ea23b65038e4f98479514ab3168b6d9f5138cb64bb177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15cf9217ee25.exe

Filesize
1.4MB

MD5
6a306f07fcb8c28197a292dcd39d8796

SHA1
ef25c24fd3918a0efd450c1c5c873265d5886626

SHA256
68fb1568af02a8bff326df6de053d082199db809aa925aefac2749c64f78994f

SHA512
84f938b3974be1b66872cdacb910ec580a2542068d018ac93662238de55a898a5d6df6e9a202a18138effc9308fffac1612149be879f1803bc73f5972f54b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\Wed15df05b995.exe

Filesize
642KB

MD5
4ab9a562ae67268c6bb05b16d749bc9b

SHA1
68d495c62dfeb11a06b3c0d01d090bb56cb48140

SHA256
aae6eab70a845dacd24f6e33c7e5161b2218a784b8d6017e1d9dda95d83ddf6d

SHA512
822108a76a47edc6782c41195c5947844bb6f6e588ebd5f4de2fd3c944dab81416ef051dd4aef6d3908e1dd79c2c96043668d4e7127b595a69af312256032e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BF615C7\setup_install.exe

Filesize
2.1MB

MD5
912368164a5c99aacb8fcb58b4ee017a

SHA1
29f6342d0b955bd861ca83135b286f505f1c68a6

SHA256
1523475f249dac98abee0ead1f81d3d408d3bf67827c7382e034e7d330fe7c7a

SHA512
ef741ad8b9402ed5b1ddbf4ecf8440ae5304dcfe3450af21b52dd9c1fd71de6c44a2bfd5f8cd0c518fc08bc1c40a45f748287009031699a415de0f95794c90b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imjy5owa.kgf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D1QJD.tmp\Wed156eff953b0ec.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDIOG.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IHIOB.tmp\Wed158c4d832483dca5.tmp

Filesize
2.5MB

MD5
a6865d7dffcc927d975be63b76147e20

SHA1
28e7edab84163cc2d0c864820bef89bae6f56bf8

SHA256
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b

SHA512
a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R4DN8.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/1048-140-0x0000000001220000-0x000000000123C000-memory.dmp

Filesize
112KB

Download
memory/1048-150-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1048-118-0x0000000001210000-0x0000000001216000-memory.dmp

Filesize
24KB

Download
memory/1048-117-0x0000000000A40000-0x0000000000A6E000-memory.dmp

Filesize
184KB

Download
memory/1212-208-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1212-125-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1340-314-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1608-142-0x0000000000D40000-0x0000000000DCC000-memory.dmp

Filesize
560KB

Download
memory/1684-283-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/1696-204-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1920-235-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1920-155-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2036-233-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-336-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/2044-330-0x000000002D730000-0x000000002D7CB000-memory.dmp

Filesize
620KB

Download
memory/2044-333-0x000000002D730000-0x000000002D7CB000-memory.dmp

Filesize
620KB

Download
memory/2044-327-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/2044-328-0x000000002D680000-0x000000002D72F000-memory.dmp

Filesize
700KB

Download
memory/2460-116-0x0000000004D40000-0x0000000004DB6000-memory.dmp

Filesize
472KB

Download
memory/2460-112-0x0000000000410000-0x000000000049C000-memory.dmp

Filesize
560KB

Download
memory/2460-119-0x0000000004B90000-0x0000000004BAE000-memory.dmp

Filesize
120KB

Download
memory/2460-148-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/2796-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-101-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2796-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-106-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2796-71-0x0000000000770000-0x00000000007FF000-memory.dmp

Filesize
572KB

Download
memory/2796-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-73-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2796-95-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2796-72-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2968-245-0x000000006ED30000-0x000000006ED7C000-memory.dmp

Filesize
304KB

Download
memory/2968-108-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/2968-76-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

Filesize
4KB

Download
memory/2968-137-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/2968-228-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

Filesize
4KB

Download
memory/2968-136-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/2968-129-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

Filesize
136KB

Download
memory/2968-113-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-78-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/2968-305-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-96-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-298-0x00000000079A0000-0x00000000079A8000-memory.dmp

Filesize
32KB

Download
memory/2968-294-0x00000000079B0000-0x00000000079CA000-memory.dmp

Filesize
104KB

Download
memory/2968-289-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/2968-288-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/2968-181-0x00000000066E0000-0x000000000672C000-memory.dmp

Filesize
304KB

Download
memory/2968-282-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/2968-240-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-256-0x0000000007320000-0x00000000073C3000-memory.dmp

Filesize
652KB

Download
memory/2968-255-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/2968-180-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/2968-244-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/2968-272-0x00000000078F0000-0x0000000007986000-memory.dmp

Filesize
600KB

Download
memory/2968-270-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/2968-269-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/2968-268-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/2968-271-0x0000000007700000-0x000000000770A000-memory.dmp

Filesize
40KB

Download
memory/3260-184-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3260-312-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3268-318-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/3516-201-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3948-293-0x000000002D420000-0x000000002D4BB000-memory.dmp

Filesize
620KB

Download
memory/3948-326-0x000000002D420000-0x000000002D4BB000-memory.dmp

Filesize
620KB

Download
memory/3948-319-0x0000000002480000-0x0000000003480000-memory.dmp

Filesize
16.0MB

Download
memory/3948-290-0x000000002D420000-0x000000002D4BB000-memory.dmp

Filesize
620KB

Download
memory/3948-239-0x0000000002480000-0x0000000003480000-memory.dmp

Filesize
16.0MB

Download
memory/3948-284-0x000000002D370000-0x000000002D41F000-memory.dmp

Filesize
700KB

Download
memory/4476-212-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4476-121-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4520-218-0x00000000057F0000-0x00000000058FA000-memory.dmp

Filesize
1.0MB

Download
memory/4520-216-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/4520-215-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4520-217-0x0000000005680000-0x0000000005692000-memory.dmp

Filesize
72KB

Download
memory/4520-224-0x0000000005760000-0x000000000579C000-memory.dmp

Filesize
240KB

Download
memory/4708-207-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5032-109-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/5052-110-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/5052-210-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/5052-258-0x000000006ED30000-0x000000006ED7C000-memory.dmp

Filesize
304KB

Download
memory/5052-309-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/5052-257-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/5052-149-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/5052-227-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/5052-94-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/5052-77-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download