Malware Analysis Report

2025-01-02 06:51

Sample ID 220504-1l86vsega9
Target 7418326158.zip
SHA256 469b2a19deab693e53b7ea3d2c26833067fe6be1b9493505091fd9f586c54fb0
Tags
redline socelars jamesbig aspackv2 discovery evasion infostealer spyware stealer suricata trojan onlylogger smokeloader vidar 706 backdoor loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

469b2a19deab693e53b7ea3d2c26833067fe6be1b9493505091fd9f586c54fb0

Threat Level: Known bad

The file 7418326158.zip was found to be: Known bad.

Malicious Activity Summary

redline socelars jamesbig aspackv2 discovery evasion infostealer spyware stealer suricata trojan onlylogger smokeloader vidar 706 backdoor loader

OnlyLogger

Socelars

Vidar

RedLine Payload

Modifies Windows Defender Real-time Protection settings

RedLine

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

SmokeLoader

Socelars Payload

Vidar Stealer

OnlyLogger Payload

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up geolocation information via web service

Looks up external IP address via web service

Enumerates physical storage devices

Program crash

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-04 21:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-04 21:45

Reported

2022-05-04 21:48

Platform

win7-20220414-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LR61K.tmp\Sat0902ab982e32902.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LR61K.tmp\Sat0902ab982e32902.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LR61K.tmp\Sat0902ab982e32902.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53 C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02401800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09c148600d822e438.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 1224 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe
PID 320 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe
PID 320 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe
PID 320 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 472 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe

"C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0902ab982e32902.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09f2a9604ddb0ce.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe

Sat09f1ff9181e817b86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09ac626c3b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat091ac9063af7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09b5258b63.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat091ac9063af7.exe

Sat091ac9063af7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat096d657bea7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09f1ff9181e817b86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09519161cb25021.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe

Sat096d657bea7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09c148600d822e438.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

Sat09ac626c3b.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe

Sat0902ab982e32902.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09fad3e269114b07.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

Sat09f2a9604ddb0ce.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe

Sat09b5258b63.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

Sat09fad3e269114b07.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09c148600d822e438.exe

Sat09c148600d822e438.exe

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe

Sat09519161cb25021.exe /mixone

C:\Users\Admin\AppData\Local\Temp\is-LR61K.tmp\Sat0902ab982e32902.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LR61K.tmp\Sat0902ab982e32902.tmp" /SL5="$4012A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 440

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1440

C:\Users\Admin\Pictures\Adobe Films\KfxS3Kvx4UMJ10E5CxWLK55_.exe

"C:\Users\Admin\Pictures\Adobe Films\KfxS3Kvx4UMJ10E5CxWLK55_.exe"

Network

Country Destination Domain Proto
NL 45.133.1.182:80 tcp
US 8.8.8.8:53 hsiens.xyz udp
N/A 127.0.0.1:49239 tcp
N/A 127.0.0.1:49241 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 www.listincode.com udp
US 199.59.243.200:443 www.listincode.com tcp
US 8.8.8.8:53 safialinks.com udp
US 8.8.8.8:53 x2.i.lencr.org udp
NL 23.2.164.159:80 x2.i.lencr.org tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.2.164.159:80 x2.c.lencr.org tcp
US 8.8.8.8:53 e1.o.lencr.org udp
NL 104.110.191.174:80 e1.o.lencr.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 mas.to udp
DE 88.99.75.82:443 mas.to tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.182:80 apps.identrust.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 www.iyiqian.com udp
US 43.130.65.190:80 www.iyiqian.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 best-link-app.com udp
NL 45.133.1.107:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 45.144.225.57:80 45.144.225.57 tcp
FI 65.108.20.195:6774 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp

Files

memory/1224-54-0x0000000076531000-0x0000000076533000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

memory/956-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

memory/956-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/956-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/956-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

memory/956-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/956-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/956-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/956-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/956-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/472-83-0x0000000000000000-mapping.dmp

memory/320-84-0x0000000000000000-mapping.dmp

memory/1836-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/1188-87-0x0000000000000000-mapping.dmp

memory/1168-92-0x0000000000000000-mapping.dmp

memory/1540-96-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

memory/1824-97-0x0000000000000000-mapping.dmp

memory/1944-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/1752-103-0x0000000000000000-mapping.dmp

memory/900-106-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

memory/1804-119-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

memory/1036-116-0x0000000000000000-mapping.dmp

memory/1428-115-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

memory/1748-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/1624-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

memory/564-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

memory/1540-133-0x0000000000D10000-0x0000000000D40000-memory.dmp

memory/1884-132-0x0000000000000000-mapping.dmp

memory/1552-140-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

memory/1608-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

memory/780-162-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

memory/780-164-0x0000000000840000-0x0000000000848000-memory.dmp

memory/828-170-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

memory/564-165-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

C:\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

memory/1588-156-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8C4C64FB\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

memory/1556-174-0x0000000000000000-mapping.dmp

memory/1960-176-0x0000000000000000-mapping.dmp

memory/1540-177-0x0000000000150000-0x0000000000156000-memory.dmp

memory/1540-178-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

memory/1428-179-0x0000000000620000-0x0000000000646000-memory.dmp

memory/1428-180-0x0000000001F00000-0x0000000001F24000-memory.dmp

memory/1824-181-0x0000000073770000-0x0000000073D1B000-memory.dmp

memory/1608-182-0x0000000000300000-0x0000000000308000-memory.dmp

memory/1608-183-0x00000000001D0000-0x00000000001D9000-memory.dmp

memory/1608-184-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/2128-185-0x0000000000000000-mapping.dmp

memory/2168-187-0x0000000000000000-mapping.dmp

memory/2268-189-0x0000000000000000-mapping.dmp

memory/564-190-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2464-191-0x0000000000000000-mapping.dmp

memory/1804-192-0x0000000004040000-0x0000000004200000-memory.dmp

memory/956-193-0x000000006B280000-0x000000006B2A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-04 21:45

Reported

2022-05-04 21:48

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

OnlyLogger

loader onlylogger

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata

OnlyLogger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53 C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09519161cb25021.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f1ff9181e817b86.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09c148600d822e438.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe
PID 2476 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe
PID 2476 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe
PID 3432 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4488 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4488 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3432 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f1ff9181e817b86.exe
PID 5080 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f1ff9181e817b86.exe
PID 3664 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat091ac9063af7.exe
PID 3664 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat091ac9063af7.exe
PID 540 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe
PID 540 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe
PID 540 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe
PID 3432 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09ac626c3b.exe
PID 3704 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09ac626c3b.exe
PID 3704 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09ac626c3b.exe
PID 3432 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe
PID 4496 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe
PID 4496 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe
PID 3432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f2a9604ddb0ce.exe
PID 2868 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f2a9604ddb0ce.exe
PID 2868 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f2a9604ddb0ce.exe
PID 1872 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe
PID 1872 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe
PID 1872 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe
PID 4548 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe
PID 4548 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe
PID 4548 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe
PID 1968 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe C:\Users\Admin\AppData\Local\Temp\is-1QRCJ.tmp\Sat0902ab982e32902.tmp
PID 1968 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe C:\Users\Admin\AppData\Local\Temp\is-1QRCJ.tmp\Sat0902ab982e32902.tmp
PID 1968 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe C:\Users\Admin\AppData\Local\Temp\is-1QRCJ.tmp\Sat0902ab982e32902.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe

"C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09f1ff9181e817b86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat096d657bea7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat091ac9063af7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0902ab982e32902.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09f2a9604ddb0ce.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe

Sat096d657bea7.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat091ac9063af7.exe

Sat091ac9063af7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09b5258b63.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f1ff9181e817b86.exe

Sat09f1ff9181e817b86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09ac626c3b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe

Sat0902ab982e32902.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09519161cb25021.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09fad3e269114b07.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe

Sat09b5258b63.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f2a9604ddb0ce.exe

Sat09f2a9604ddb0ce.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe

Sat09fad3e269114b07.exe

C:\Users\Admin\AppData\Local\Temp\is-1QRCJ.tmp\Sat0902ab982e32902.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1QRCJ.tmp\Sat0902ab982e32902.tmp" /SL5="$6002E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09c148600d822e438.exe

Sat09c148600d822e438.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09519161cb25021.exe

Sat09519161cb25021.exe /mixone

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 576

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09c148600d822e438.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09ac626c3b.exe

Sat09ac626c3b.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\xcopy.exe

xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4956 -ip 4956

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffaaec04f50,0x7ffaaec04f60,0x7ffaaec04f70

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 676

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2004 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2248 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 676

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3896 -ip 3896

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 828

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4988 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1076

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5500 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5300 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3324 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5816 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Users\Admin\Pictures\Adobe Films\7Ty0G9QpyrlWdhTVsMP6nP1n.exe

"C:\Users\Admin\Pictures\Adobe Films\7Ty0G9QpyrlWdhTVsMP6nP1n.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2516 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2508 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2644 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1576 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,839951972224132384,11353389875627547368,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2852 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
NL 45.133.1.182:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 guidereviews.bar udp
US 208.95.112.1:80 ip-api.com tcp
US 199.59.243.200:443 www.listincode.com tcp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 safialinks.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 best-link-app.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 x2.i.lencr.org udp
NL 23.2.164.159:80 x2.i.lencr.org tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.2.164.159:80 x2.c.lencr.org tcp
US 8.8.8.8:53 e1.o.lencr.org udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 104.110.191.206:80 e1.o.lencr.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49777 tcp
N/A 127.0.0.1:49779 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mas.to udp
DE 88.99.75.82:443 mas.to tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.iyiqian.com udp
US 43.130.65.190:80 www.iyiqian.com tcp
NL 45.133.1.107:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 secure.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.iyiqian.com udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.45:443 accounts.google.com udp
US 43.130.65.190:80 www.iyiqian.com tcp
NL 142.250.179.174:443 clients2.google.com udp
US 157.240.201.35:443 www.facebook.com tcp
US 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 cleaner-partners.ltd udp
NL 31.13.64.13:443 secure.facebook.com tcp
NL 31.13.64.13:443 secure.facebook.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 43.130.65.190:80 www.iyiqian.com tcp
NL 142.251.39.97:443 clients2.googleusercontent.com udp
NL 142.251.39.97:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 www.listincode.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 199.59.243.200:443 www.listincode.com tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 lbsp.click.com.cn udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 142.250.179.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 facebook.com udp
CN 60.190.243.163:443 lbsp.click.com.cn tcp
NL 31.13.64.35:443 facebook.com tcp
CN 60.190.243.163:443 lbsp.click.com.cn tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 142.250.179.202:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 cleaner-partners.ltd udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 194.145.227.161 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 ssl.gstatic.com udp
NL 216.58.208.99:443 ssl.gstatic.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 update.googleapis.com udp
NL 142.250.179.163:443 update.googleapis.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 20.44.10.123:443 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 govsurplusstore.com udp
US 8.8.8.8:53 best-forsale.com udp
US 8.8.8.8:53 chmxnautoparts.com udp
US 8.8.8.8:53 kwazone.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
NL 45.144.225.57:80 45.144.225.57 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 212.193.30.21:80 212.193.30.21 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 8.248.7.254:80 tcp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 142.250.179.163:443 update.googleapis.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 216.58.214.14:80 redirector.gvt1.com tcp
US 8.8.8.8:53 r2---sn-aigzrn7z.gvt1.com udp
GB 173.194.135.103:80 r2---sn-aigzrn7z.gvt1.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 194.145.227.161 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
NL 142.250.179.170:443 safebrowsing.googleapis.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 www.listfcbt.top udp
US 8.8.8.8:53 www.getrqpop.com udp
US 8.8.8.8:53 www.typefdq.xyz udp
US 8.8.8.8:53 www.rqckdpt.top udp
NL 142.250.179.163:443 update.googleapis.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

memory/3432-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/3432-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3432-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3432-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3432-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3432-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3432-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3432-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3432-151-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4488-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/3664-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

memory/3704-160-0x0000000000000000-mapping.dmp

memory/4496-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/2868-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

memory/540-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

memory/456-154-0x0000000000000000-mapping.dmp

memory/5080-153-0x0000000000000000-mapping.dmp

memory/4548-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

memory/3736-165-0x0000000000000000-mapping.dmp

memory/4584-168-0x0000000000000000-mapping.dmp

memory/4564-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

memory/1968-182-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

memory/4956-188-0x0000000000000000-mapping.dmp

memory/4456-190-0x0000000000000000-mapping.dmp

memory/2328-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

memory/456-191-0x0000000005800000-0x0000000005E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

C:\Users\Admin\AppData\Local\Temp\is-1QRCJ.tmp\Sat0902ab982e32902.tmp

MD5 6020849fbca45bc0c69d4d4a0f4b62e7
SHA1 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256 c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512 f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

memory/2572-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

memory/3168-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

memory/3896-199-0x0000000000000000-mapping.dmp

memory/456-201-0x0000000005780000-0x00000000057A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

memory/2572-200-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/1872-186-0x0000000000000000-mapping.dmp

memory/456-185-0x00000000030E0000-0x0000000003116000-memory.dmp

memory/2084-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/3736-178-0x0000000000A30000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

memory/1968-176-0x0000000000000000-mapping.dmp

memory/2340-175-0x0000000000000000-mapping.dmp

memory/4168-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

C:\Users\Admin\AppData\Local\Temp\7zSCA9E5C66\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

C:\Users\Admin\AppData\Local\Temp\is-NBHQ7.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/456-204-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/456-205-0x00000000061C0000-0x0000000006226000-memory.dmp

memory/1968-206-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3432-207-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3432-209-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3432-210-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3432-208-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/456-211-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/3736-212-0x00007FFAB4310000-0x00007FFAB4DD1000-memory.dmp

memory/2572-213-0x00007FFAB4310000-0x00007FFAB4DD1000-memory.dmp

memory/5072-214-0x0000000000000000-mapping.dmp

memory/456-215-0x0000000006C70000-0x0000000006CA2000-memory.dmp

memory/456-216-0x0000000071AF0000-0x0000000071B3C000-memory.dmp

memory/456-217-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

memory/456-218-0x0000000008080000-0x00000000086FA000-memory.dmp

memory/456-219-0x0000000007710000-0x000000000772A000-memory.dmp

memory/456-220-0x0000000007A50000-0x0000000007A5A000-memory.dmp

memory/5092-221-0x0000000000000000-mapping.dmp

memory/456-222-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/2360-225-0x0000000000000000-mapping.dmp

memory/4956-224-0x0000000002270000-0x0000000002344000-memory.dmp

memory/4956-223-0x000000000063D000-0x00000000006B8000-memory.dmp

memory/4956-226-0x0000000000400000-0x0000000000518000-memory.dmp

memory/2328-228-0x00000000004E0000-0x00000000004E9000-memory.dmp

memory/2328-227-0x000000000059D000-0x00000000005A6000-memory.dmp

memory/2328-229-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/456-230-0x0000000007C10000-0x0000000007C1E000-memory.dmp

memory/456-231-0x0000000007D10000-0x0000000007D2A000-memory.dmp

memory/456-232-0x0000000007D00000-0x0000000007D08000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 9293625eada67902da47fbf28c0091e8
SHA1 78dad17ace9ea7775d287be2a000adab2318590c
SHA256 8d92dfd0e456806d8bc92766403284f80a2ab995b252683dfa8c6f8af76ceab6
SHA512 1b99d35acdf9f494a2a49b1659009ecc47728925419ee2ec8a959e4eaa3abd38cf76e47891534609569b6cc3d6769ad19fcb0788a4164aabedeb2e73eff47353

memory/4168-234-0x0000000004B00000-0x00000000050A4000-memory.dmp

memory/4168-236-0x00000000056D0000-0x0000000005CE8000-memory.dmp

memory/4168-238-0x00000000050B0000-0x00000000050C2000-memory.dmp

memory/3896-237-0x0000000002150000-0x0000000002198000-memory.dmp

memory/4168-240-0x00000000050D0000-0x00000000051DA000-memory.dmp

memory/3896-239-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4168-242-0x0000000000540000-0x0000000000570000-memory.dmp

memory/4168-241-0x000000000078C000-0x00000000007AF000-memory.dmp

memory/4168-243-0x00000000051E0000-0x000000000521C000-memory.dmp

memory/4168-244-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/3896-235-0x00000000007CD000-0x00000000007F6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 67f07a853631b07e5d5fa2050971b07c
SHA1 897a3ee8a8817b3fa575cbc2992b3a848cc64a05
SHA256 4f29aabf82c5c58f045e319603f66778a72944e352c36c6401e916bce866a362
SHA512 62668cd96d37fb482b7689a80a6d7b67376b6c7ab4d7899e6930c883c5880e8d443a91773ab95f579dde09112da54b8a66ced06a719165500a1710184c6e8235

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json

MD5 9d21061c0fde598f664c196ab9285ce0
SHA1 b8963499bfb13ab67759048ed357b66042850cd4
SHA256 024872f1e0eb6f98dcbd6a9d47820525c03aa0480373f9e247a90a3ef8776514
SHA512 f62d333e6415be772751eeeaf154dc49012b5fc56b0d2d6276a099d658ebe10f3c5166ec02b215ae9cd05014d7435b53d14b98a20e2af83a7aa09a8babe71853

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js

MD5 f6a25e7c3bef30f9a62caae063f127dd
SHA1 892d33435e59ae2217fb303d9067676135ba167a
SHA256 eaa839d20e1fe7233fada3a1a83a5c3e39de9e3a6ffa8075141e64b2f7c482cd
SHA512 4ce25900d848eb80d94ff7245dcc8a355127cfc186df2c25f849492184cdab7088068a1bbbd71bdd1ad46cdf11d6cc6b9d1aa0b0a41d87ccc43856e4d2ce9976

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js

MD5 cec1f27e8e8273b52ffd8c936c2c76e5
SHA1 48a92c087eaa1a92c8e849cd8e0179daabe711b8
SHA256 cc4dc4756d7f52e1097bd47625b82549ac342a995bc70fe8d9599a1b04133948
SHA512 132fc753e34413c5d6701926913fd0c50bdaf6539afc91b0ca59adce6b2ca47eb81be8957c7f1ee5127a52828ca7f3c7eb2ec5c1124a6312e2beda449f02f5fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat

MD5 05f92457cba4d4aa36ffe12861c0269c
SHA1 5b609d699027402621e9e55297c8af134cde1960
SHA256 aa5f623f50ade96edd47f486199f43e1250eb62c44eede7ee850c3de61ed1707
SHA512 da69735ad2e043b889dde257e600cc53866fff6010bdc61da0d35b6a6f4c5fd2a61f778bb178c6856a7f473695adb71478a8a0ee3f9ec7df86a9f4c54e14c9f3

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

MD5 066b91c605dd5207cc4094c65eadc647
SHA1 71a797fdcbed970cb421bc28f516433e61faaf74
SHA256 de4ac5f746ee059a96b248f36408c6035f84ac27285dc0e5db2e42b238364bca
SHA512 ae78b6645c3ebf3e278b2559ff21343d5c335ca818858f5e8599a3fed39bf41cca44f7286b71f90a3b990ee6f7e4b5e90f5219c78fc6b7777fb80f8b8468be43

memory/3172-259-0x0000000002610000-0x0000000002625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\index

MD5 ce7f9db5a178aea97b06eff9d3328cf4
SHA1 fcc7a115549b26ac0a6a8474842ee47e008a194c
SHA256 2930bd0d50b50f0eea98641bb0c5a0652cf320bd17ff96234daa4402311e78da
SHA512 628d88aa0955b4f88083aab98054f42b11b8f9ed3b76b4f9d364e04e0fcad96617c88d3881ede8c8dbafc36b274cfae4826a79c5fe8bcecc34b149ef88a8c249

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version

MD5 b63048c4e7e52c52053d25da30d9c5ab
SHA1 679a44d402f5ec24605719e06459f5a707989187
SHA256 389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512 e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

\??\pipe\crashpad_4624_NTQZIUKXQTUHQXIP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Secure Preferences

MD5 9293625eada67902da47fbf28c0091e8
SHA1 78dad17ace9ea7775d287be2a000adab2318590c
SHA256 8d92dfd0e456806d8bc92766403284f80a2ab995b252683dfa8c6f8af76ceab6
SHA512 1b99d35acdf9f494a2a49b1659009ecc47728925419ee2ec8a959e4eaa3abd38cf76e47891534609569b6cc3d6769ad19fcb0788a4164aabedeb2e73eff47353

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences

MD5 222947d1598b7692985187f902ef2a4d
SHA1 528a6a5e8d7ea960b1ea143bf7e84352bcf34752
SHA256 254449be84a501ba6ae931c81342d1d54ff582d8a71dae4e76c8fcd391a8bc3a
SHA512 bd3189c87fd98b282c20bb07972de75ee7948c8d85f072939b402b5341d8181b7cfc4f94a15bd71fd6af027d1c6dd7dc8d4fa59b8de6c7a2ba55f0f30d7c6ee3

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Visited Links

MD5 420a3299bbca63bce5d350c55412dcdc
SHA1 f805330e3159f32af026926d019815997cbb19dd
SHA256 1ef62fe1c4b9a1544b372e558234b597de5993913a50f379f985ee09b421759c
SHA512 e44c3804b53ddcccfa4bb38f581bdd1e08f4a343070b6470828b67a0303521898ed6192188464090c1d9b6af7ad849ef62dcab13fc899608ba3a439ee1c8278d

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Media History

MD5 1ddfe694c682299567c25daee0cf2a04
SHA1 d32bb6199d95989525ce204a859780cca708142c
SHA256 2237a10a071315f272ac9eb9338ce9a83350739537a5cbf0f82bd5ac65e45968
SHA512 a1a09f7e4c919a758c38c8a789feac95dd17f07fc955ca83bd0e4af6ca053f5e205d6f55bcce380f83cbc5bd26e75457ce120fc287c13bd8b73b68e1610d11a6

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\LOG

MD5 1c349b2b7b6750fb8f06ddc753ac230d
SHA1 1649d1fefb887d43e5edaa3f50384ad58f1efe34
SHA256 566183b667aa01d668ccef9a83c73ce97910a7265a1993ead523d558d3e15444
SHA512 a1f33ffb4e8c43bd748bd8069b6f11f36b43280dd1a41957a40f4169fd1d7254f6455c7b385367e5653ffd6eb30f29fd7ab355793ccf9b14939cf4dc7c5e18a6

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4584-274-0x00000000037F0000-0x00000000039B0000-memory.dmp

memory/5892-275-0x0000000000000000-mapping.dmp