Malware Analysis Report

2024-11-13 19:46

Sample ID 220815-tj3gzafff4
Target A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe
SHA256 a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
Tags
onlylogger privateloader vidar 706 aspackv2 loader main stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511

Threat Level: Known bad

The file A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe was found to be: Known bad.

Malicious Activity Summary

onlylogger privateloader vidar 706 aspackv2 loader main stealer

PrivateLoader

OnlyLogger

Vidar

OnlyLogger payload

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-15 16:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 16:06

Reported

2022-08-15 16:08

Platform

win7-20220812-en

Max time kernel

15s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe"

Signatures

OnlyLogger

loader onlylogger

PrivateLoader

loader privateloader

Vidar

stealer vidar

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0896a250f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jhuuee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IUFEF.tmp\setup_2.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IUFEF.tmp\setup_2.tmp N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0896a250f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1956 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1220 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

Processes

C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe

"C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat08ee19a932fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat082b14fb3528.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe

Sat08ee19a932fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0896a250f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0847b92f504.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe

Sat082b14fb3528.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

Sat082056aadb8e0a.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe

Sat080cfbcc640c1c7.exe

C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp" /SL5="$3014E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe

Sat0847b92f504.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe

Sat08cc4f657fdcfb808.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0896a250f5.exe

Sat0896a250f5.exe

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe

"C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-IUFEF.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IUFEF.tmp\setup_2.tmp" /SL5="$201A8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-236I4.tmp\setup_2.tmp" /SL5="$101A8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat08cc4f657fdcfb808.exe

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

Sat0850ddaa28772a884.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat080cfbcc640c1c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat082056aadb8e0a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0850ddaa28772a884.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1004

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\Pictures\Minor Policy\BXCQdyPIx9Idg6014ycqPJea.exe

"C:\Users\Admin\Pictures\Minor Policy\BXCQdyPIx9Idg6014ycqPJea.exe"

C:\Users\Admin\Pictures\Minor Policy\FCmW058s1wYep4b3sLtqdPD_.exe

"C:\Users\Admin\Pictures\Minor Policy\FCmW058s1wYep4b3sLtqdPD_.exe"

C:\Users\Admin\Pictures\Minor Policy\vJtpej09LxJyBS5cOmGMuXik.exe

"C:\Users\Admin\Pictures\Minor Policy\vJtpej09LxJyBS5cOmGMuXik.exe"

C:\Users\Admin\Pictures\Minor Policy\Cfq_8UtpmQQMsHxs8bJaox18.exe

"C:\Users\Admin\Pictures\Minor Policy\Cfq_8UtpmQQMsHxs8bJaox18.exe"

C:\Users\Admin\Pictures\Minor Policy\yySwHNGRXHJkncsI08yRlTY3.exe

"C:\Users\Admin\Pictures\Minor Policy\yySwHNGRXHJkncsI08yRlTY3.exe"

C:\Users\Admin\Pictures\Minor Policy\HJG3HvL643nDzQZCNV82Pu_c.exe

"C:\Users\Admin\Pictures\Minor Policy\HJG3HvL643nDzQZCNV82Pu_c.exe"

C:\Users\Admin\Pictures\Minor Policy\1l3HyItE2q6a87YfwfRm8H2k.exe

"C:\Users\Admin\Pictures\Minor Policy\1l3HyItE2q6a87YfwfRm8H2k.exe"

C:\Users\Admin\Pictures\Minor Policy\6ufzE_JiC8khnW5D1R53ldkK.exe

"C:\Users\Admin\Pictures\Minor Policy\6ufzE_JiC8khnW5D1R53ldkK.exe"

C:\Users\Admin\Pictures\Minor Policy\lM9rd7YF4t78xSRZ4g9nNMAn.exe

"C:\Users\Admin\Pictures\Minor Policy\lM9rd7YF4t78xSRZ4g9nNMAn.exe"

C:\Users\Admin\Pictures\Minor Policy\q81bpkdqRyf1Lzpyb5DpCd8S.exe

"C:\Users\Admin\Pictures\Minor Policy\q81bpkdqRyf1Lzpyb5DpCd8S.exe"

C:\Users\Admin\Pictures\Minor Policy\3MWEtmu19hIPU_Td4dWoxFgh.exe

"C:\Users\Admin\Pictures\Minor Policy\3MWEtmu19hIPU_Td4dWoxFgh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 a.goatgame.co udp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 garbage-cleaner.biz udp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 live.goatgame.live udp
NL 37.0.10.214:80 tcp
US 35.186.238.101:80 garbage-cleaner.biz tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 the-flash-man.com udp
US 8.8.8.8:53 best-link-app.com udp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 theonlinesportsgroup.net udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 remotepc3.xyz udp
US 8.8.8.8:53 liveme31.com udp
US 23.21.244.74:443 a.goatgame.co tcp
UA 194.145.227.161:80 tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 23.21.244.74:443 a.goatgame.co tcp
N/A 127.0.0.1:49245 tcp
N/A 127.0.0.1:49247 tcp
US 8.8.8.8:53 liveme31.com udp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
NL 37.0.10.244:80 tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
UA 194.145.227.161:80 tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 2no.co udp
DE 148.251.234.93:443 2no.co tcp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 35.168.184.46:443 a.goatgame.co tcp
DE 148.251.234.93:443 yip.su tcp
DE 148.251.234.93:443 yip.su tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 212.193.30.115:80 212.193.30.115 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 derioswinf.org udp
US 8.8.8.8:53 trustnero.com udp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 104.21.1.91:80 trustnero.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 104.21.1.91:80 trustnero.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 104.21.1.91:80 trustnero.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 104.21.1.91:80 trustnero.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 104.21.1.91:443 trustnero.com tcp
KR 222.232.238.243:80 derioswinf.org tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
NL 104.110.191.182:80 apps.identrust.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 107.182.129.251:80 107.182.129.251 tcp
RU 62.204.41.178:80 62.204.41.178 tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 162.159.129.233:80 cdn.discordapp.com tcp
NL 23.2.164.159:80 x2.c.lencr.org tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 e1.o.lencr.org udp
US 162.159.129.233:80 cdn.discordapp.com tcp
NL 104.110.191.177:80 e1.o.lencr.org tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
KR 222.232.238.243:80 derioswinf.org tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 fakermet.com udp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 172.67.202.54:443 fakermet.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:80 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
UA 194.145.227.161:80 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 a.goatgame.co udp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
UA 194.145.227.161:80 tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 35.168.184.46:443 a.goatgame.co tcp

Files

memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

memory/1220-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

memory/1416-66-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

\Users\Admin\AppData\Local\Temp\7zS4C44050C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS4C44050C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS4C44050C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS4C44050C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS4C44050C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

memory/1416-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-95-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1416-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-92-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1072-96-0x0000000000000000-mapping.dmp

memory/1552-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe

MD5 a71033b8905fbfe1853114e040689448
SHA1 60621ea0755533c356911bc84e82a5130cf2e8cb
SHA256 b4d5ca1118bde5f5385c84e023c62930595aba9bba6bd1589d1cf30ded85aef1
SHA512 0fd4cca6ecb235f58b7adeba4f8f19b59fa019173ee3dee582781fa2dcf3b37983bee50abb0e890cf2d9904aedf259ceb7eaacc158df7d4527673dd94556af7e

memory/1712-104-0x0000000000000000-mapping.dmp

memory/1804-107-0x0000000000000000-mapping.dmp

memory/800-109-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

memory/2044-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/1960-120-0x0000000000000000-mapping.dmp

memory/1980-125-0x0000000000000000-mapping.dmp

memory/1540-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

memory/1264-139-0x0000000000000000-mapping.dmp

memory/744-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0896a250f5.exe

MD5 9c01b589dc572a9c2148f46e50025d57
SHA1 a1c705d92cd611600913c5a93d1468683bd99c2b
SHA256 0bcba30bc714e0c98e409d8621343fd8b5dce790d3b5adf5fff26dda8b258313
SHA512 901b8d37db4c2c5ed0cc4921fc7dcdedbae26affad4478ec16bec16f3bc6c5186a21746541fcc364733596eabb6b419f627f4aa13e53ba8b7e88dd683d3d8240

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

memory/1264-157-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1612-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

memory/536-173-0x0000000000240000-0x0000000000340000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

memory/1264-168-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1740-174-0x0000000000400000-0x0000000002CB4000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/1520-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-VAVH2.tmp\Sat080cfbcc640c1c7.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/744-179-0x0000000000250000-0x000000000027C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe

MD5 a71033b8905fbfe1853114e040689448
SHA1 60621ea0755533c356911bc84e82a5130cf2e8cb
SHA256 b4d5ca1118bde5f5385c84e023c62930595aba9bba6bd1589d1cf30ded85aef1
SHA512 0fd4cca6ecb235f58b7adeba4f8f19b59fa019173ee3dee582781fa2dcf3b37983bee50abb0e890cf2d9904aedf259ceb7eaacc158df7d4527673dd94556af7e

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/1740-162-0x00000000001D0000-0x00000000001D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

memory/1740-158-0x00000000002C1000-0x00000000002C9000-memory.dmp

memory/1076-156-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

memory/1612-180-0x0000000000200000-0x0000000000312000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0896a250f5.exe

MD5 9c01b589dc572a9c2148f46e50025d57
SHA1 a1c705d92cd611600913c5a93d1468683bd99c2b
SHA256 0bcba30bc714e0c98e409d8621343fd8b5dce790d3b5adf5fff26dda8b258313
SHA512 901b8d37db4c2c5ed0cc4921fc7dcdedbae26affad4478ec16bec16f3bc6c5186a21746541fcc364733596eabb6b419f627f4aa13e53ba8b7e88dd683d3d8240

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

memory/536-141-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082b14fb3528.exe

MD5 a71033b8905fbfe1853114e040689448
SHA1 60621ea0755533c356911bc84e82a5130cf2e8cb
SHA256 b4d5ca1118bde5f5385c84e023c62930595aba9bba6bd1589d1cf30ded85aef1
SHA512 0fd4cca6ecb235f58b7adeba4f8f19b59fa019173ee3dee582781fa2dcf3b37983bee50abb0e890cf2d9904aedf259ceb7eaacc158df7d4527673dd94556af7e

memory/744-181-0x0000000000480000-0x000000000049E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0896a250f5.exe

MD5 9c01b589dc572a9c2148f46e50025d57
SHA1 a1c705d92cd611600913c5a93d1468683bd99c2b
SHA256 0bcba30bc714e0c98e409d8621343fd8b5dce790d3b5adf5fff26dda8b258313
SHA512 901b8d37db4c2c5ed0cc4921fc7dcdedbae26affad4478ec16bec16f3bc6c5186a21746541fcc364733596eabb6b419f627f4aa13e53ba8b7e88dd683d3d8240

memory/1492-119-0x0000000000000000-mapping.dmp

memory/1580-182-0x0000000000000000-mapping.dmp

memory/1928-186-0x0000000000C50000-0x0000000000C7A000-memory.dmp

memory/1888-187-0x0000000001320000-0x0000000001328000-memory.dmp

memory/1928-188-0x0000000000140000-0x000000000015E000-memory.dmp

memory/1888-185-0x0000000000000000-mapping.dmp

memory/1928-184-0x0000000000000000-mapping.dmp

memory/1580-183-0x000000013FF20000-0x000000013FF30000-memory.dmp

memory/1680-189-0x0000000000000000-mapping.dmp

memory/1784-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/1784-193-0x0000000000400000-0x0000000000414000-memory.dmp

memory/736-196-0x0000000000000000-mapping.dmp

memory/1784-201-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1620-200-0x0000000000000000-mapping.dmp

memory/1620-203-0x0000000000400000-0x0000000000414000-memory.dmp

memory/592-205-0x0000000000000000-mapping.dmp

memory/536-199-0x0000000003100000-0x0000000005A0F000-memory.dmp

memory/1808-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

memory/1740-114-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

memory/536-207-0x0000000000400000-0x0000000002D0F000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

C:\Users\Admin\AppData\Local\Temp\7zS4C44050C\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/1616-99-0x0000000000000000-mapping.dmp

memory/2044-209-0x0000000071430000-0x00000000719DB000-memory.dmp

memory/2060-208-0x0000000000000000-mapping.dmp

memory/1680-211-0x0000000000240000-0x000000000026F000-memory.dmp

memory/1680-210-0x0000000002E5F000-0x0000000002E7A000-memory.dmp

memory/1680-213-0x0000000000400000-0x0000000002CC7000-memory.dmp

memory/2168-212-0x0000000000000000-mapping.dmp

memory/1740-214-0x0000000000400000-0x0000000002CB4000-memory.dmp

memory/1740-215-0x00000000002C1000-0x00000000002C9000-memory.dmp

memory/1620-216-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2044-217-0x0000000071430000-0x00000000719DB000-memory.dmp

memory/1264-218-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2444-219-0x0000000000000000-mapping.dmp

memory/1416-220-0x0000000064940000-0x0000000064959000-memory.dmp

memory/536-221-0x0000000000240000-0x0000000000340000-memory.dmp

memory/536-222-0x0000000000400000-0x0000000002D0F000-memory.dmp

memory/536-223-0x0000000003100000-0x0000000005A0F000-memory.dmp

memory/1680-224-0x0000000002E5F000-0x0000000002E7A000-memory.dmp

memory/1680-225-0x0000000000400000-0x0000000002CC7000-memory.dmp

memory/1580-226-0x0000000000160000-0x000000000016E000-memory.dmp

memory/1580-227-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

memory/2564-228-0x0000000000000000-mapping.dmp

memory/2596-229-0x0000000000000000-mapping.dmp

memory/2652-230-0x0000000000000000-mapping.dmp

memory/2652-231-0x000000013FFA0000-0x000000013FFB0000-memory.dmp

memory/1076-232-0x00000000040E0000-0x0000000004334000-memory.dmp

memory/2768-233-0x0000000000000000-mapping.dmp

memory/2940-234-0x0000000000000000-mapping.dmp

memory/2956-236-0x0000000000000000-mapping.dmp

memory/3060-248-0x0000000000000000-mapping.dmp

memory/2984-239-0x0000000000000000-mapping.dmp

memory/3028-244-0x0000000000000000-mapping.dmp

memory/3000-241-0x0000000000000000-mapping.dmp

memory/2972-238-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-15 16:06

Reported

2022-08-15 16:08

Platform

win10v2004-20220812-en

Max time kernel

113s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe"

Signatures

OnlyLogger

loader onlylogger

PrivateLoader

loader privateloader

Vidar

stealer vidar

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082b14fb3528.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9GGJV.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jhuuee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OBF09.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-9GGJV.tmp\setup_2.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3002.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3536 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3536 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4724 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe
PID 4724 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe
PID 4724 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe
PID 4280 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe
PID 1684 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe
PID 1684 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe
PID 4280 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe
PID 1612 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe
PID 1612 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe
PID 4280 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082b14fb3528.exe
PID 1756 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082b14fb3528.exe
PID 5068 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
PID 5068 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
PID 5068 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe
PID 2860 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe
PID 2860 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe
PID 2860 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe
PID 4280 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe
PID 4952 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe
PID 4952 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe
PID 4132 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe
PID 4132 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe
PID 2092 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe
PID 2092 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe
PID 2092 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe
PID 4224 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp
PID 4224 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp
PID 4224 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp
PID 3448 wrote to memory of 4900 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 3448 wrote to memory of 4900 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 3448 wrote to memory of 4260 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe

Processes

C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe

"C:\Users\Admin\AppData\Local\Temp\A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0850ddaa28772a884.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat082056aadb8e0a.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe

Sat08ee19a932fc.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082b14fb3528.exe

Sat082b14fb3528.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe

Sat082056aadb8e0a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat08cc4f657fdcfb808.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe

Sat0850ddaa28772a884.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat080cfbcc640c1c7.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat082b14fb3528.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat08ee19a932fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0896a250f5.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe

Sat08cc4f657fdcfb808.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe

Sat080cfbcc640c1c7.exe

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe

Sat0896a250f5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4280 -ip 4280

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe

Sat0847b92f504.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0847b92f504.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 568

C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp" /SL5="$5003E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"

C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe

"C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe"

C:\Users\Admin\AppData\Local\Temp\is-9GGJV.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9GGJV.tmp\setup_2.tmp" /SL5="$1D0022,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-OBF09.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OBF09.tmp\setup_2.tmp" /SL5="$1E0022,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1832 -ip 1832

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 996

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1308

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1832 -ip 1832

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 a.goatgame.co udp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 37.0.10.214:80 tcp
US 8.8.8.8:53 the-flash-man.com udp
US 8.8.8.8:53 best-link-app.com udp
US 8.8.8.8:53 theonlinesportsgroup.net udp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 remotepc3.xyz udp
US 8.8.8.8:53 2no.co udp
DE 148.251.234.93:443 2no.co tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 a.goatgame.co udp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 theonlinesportsgroup.net udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 liveme31.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 35.168.184.46:443 a.goatgame.co tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 23.21.244.74:443 a.goatgame.co tcp
N/A 127.0.0.1:49786 tcp
N/A 127.0.0.1:49788 tcp
US 35.168.184.46:443 a.goatgame.co tcp
NL 37.0.10.244:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 23.21.244.74:443 a.goatgame.co tcp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 35.168.184.46:443 a.goatgame.co tcp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 garbage-cleaner.biz udp
US 35.186.238.101:80 garbage-cleaner.biz tcp
US 23.21.244.74:443 a.goatgame.co tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 35.168.184.46:443 a.goatgame.co tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 93.184.221.240:80 tcp
US 35.168.184.46:443 a.goatgame.co tcp
US 93.184.220.29:80 tcp
US 23.21.244.74:443 a.goatgame.co tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 varmisende.com udp
DE 91.195.240.117:80 varmisende.com tcp
US 8.8.8.8:53 fernandomayol.com udp
DE 91.195.240.117:80 fernandomayol.com tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 nextlytm.com udp
DE 91.195.240.117:80 nextlytm.com tcp
US 8.8.8.8:53 people4jan.com udp
DE 91.195.240.117:80 people4jan.com tcp
US 8.8.8.8:53 asfaltwerk.com udp
DE 91.195.240.117:80 asfaltwerk.com tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

memory/4724-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 509b2d5f2b5072dbfcb2400220680e85
SHA1 a54daa92b92efe4bf75fdce1480271d5875a8fef
SHA256 7a3693f01994c44d4ec272b3dd68d102aed19acd9620609371e35535696d60fa
SHA512 84414301d9af460b6d6a1b6be43179dc6266b9dd2cc0c94c96b76196c9e9f113f4ddec0ef6db7d3495ab601ba54a68d770c061299fa93801581144d9047051f1

memory/4280-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\setup_install.exe

MD5 543b40950f1ead8eccf4d9dfd44ee6f6
SHA1 162859468c32973a1f18c33368ec18cfddb89152
SHA256 42cd009b532663346d3be1f034c0fc2ba9b39aaf7ef493e8ad521c8d17bcb842
SHA512 63897f15f1e0a41a9bd4895313b8a549c3db87b6d169058a72df37e2b4e09a8ec23c98cf5092581ec158dedededd17b1c17adff7abca63e9c20728e39d160554

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4280-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4280-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4280-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4280-154-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4280-155-0x0000000000F70000-0x0000000000FFF000-memory.dmp

memory/4280-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4280-158-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4280-160-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4280-161-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4280-162-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082b14fb3528.exe

MD5 a71033b8905fbfe1853114e040689448
SHA1 60621ea0755533c356911bc84e82a5130cf2e8cb
SHA256 b4d5ca1118bde5f5385c84e023c62930595aba9bba6bd1589d1cf30ded85aef1
SHA512 0fd4cca6ecb235f58b7adeba4f8f19b59fa019173ee3dee582781fa2dcf3b37983bee50abb0e890cf2d9904aedf259ceb7eaacc158df7d4527673dd94556af7e

memory/2172-171-0x0000000000000000-mapping.dmp

memory/4980-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08ee19a932fc.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/4920-176-0x0000000000000000-mapping.dmp

memory/4952-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

memory/5068-170-0x0000000000000000-mapping.dmp

memory/1756-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

memory/1612-166-0x0000000000000000-mapping.dmp

memory/1684-164-0x0000000000000000-mapping.dmp

memory/4076-163-0x0000000000000000-mapping.dmp

memory/4280-159-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4280-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4280-152-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4916-181-0x0000000000000000-mapping.dmp

memory/4132-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082056aadb8e0a.exe

MD5 bde00b802790bf8ba29b7e5042d4922e
SHA1 00f03f7128ee5a5ad6b5e6862740f1a1451123eb
SHA256 a1a8122324e059d87adfffc3c594217ec4ae0cf3406549c5ef6899f6271af801
SHA512 fd0ba71c3b1e0362de338464ae79c992ef36ab3a98835eaa7e252e161f90ef0bf77e24cebc276f7aa0a4c3d074b8d87b2a081e9c5521b6107f571845a98eebcf

memory/2092-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

memory/2172-192-0x0000000005390000-0x00000000059B8000-memory.dmp

memory/4224-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe

MD5 9c01b589dc572a9c2148f46e50025d57
SHA1 a1c705d92cd611600913c5a93d1468683bd99c2b
SHA256 0bcba30bc714e0c98e409d8621343fd8b5dce790d3b5adf5fff26dda8b258313
SHA512 901b8d37db4c2c5ed0cc4921fc7dcdedbae26affad4478ec16bec16f3bc6c5186a21746541fcc364733596eabb6b419f627f4aa13e53ba8b7e88dd683d3d8240

memory/1504-195-0x0000000000000000-mapping.dmp

memory/4224-197-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0896a250f5.exe

MD5 9c01b589dc572a9c2148f46e50025d57
SHA1 a1c705d92cd611600913c5a93d1468683bd99c2b
SHA256 0bcba30bc714e0c98e409d8621343fd8b5dce790d3b5adf5fff26dda8b258313
SHA512 901b8d37db4c2c5ed0cc4921fc7dcdedbae26affad4478ec16bec16f3bc6c5186a21746541fcc364733596eabb6b419f627f4aa13e53ba8b7e88dd683d3d8240

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat082b14fb3528.exe

MD5 a71033b8905fbfe1853114e040689448
SHA1 60621ea0755533c356911bc84e82a5130cf2e8cb
SHA256 b4d5ca1118bde5f5385c84e023c62930595aba9bba6bd1589d1cf30ded85aef1
SHA512 0fd4cca6ecb235f58b7adeba4f8f19b59fa019173ee3dee582781fa2dcf3b37983bee50abb0e890cf2d9904aedf259ceb7eaacc158df7d4527673dd94556af7e

memory/1832-182-0x0000000000000000-mapping.dmp

memory/3448-199-0x0000000000000000-mapping.dmp

memory/3448-201-0x0000000000480000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0847b92f504.exe

MD5 2949f508ff5e507bff7801a9f81dac62
SHA1 7629d2ca3be460943514b1209ee789d96d915c52
SHA256 2794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512 422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7

memory/1504-202-0x0000000000C40000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat08cc4f657fdcfb808.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/2172-184-0x0000000000F70000-0x0000000000FA6000-memory.dmp

memory/364-183-0x0000000000000000-mapping.dmp

memory/2860-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat080cfbcc640c1c7.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\Sat0850ddaa28772a884.exe

MD5 9355ceef18ba1894ece55e90f9b1c7c9
SHA1 f90c42eb894054768ead22b86d6df7ffae49f1b0
SHA256 ea68d4a9489661ee5193ef57402744b60f210eb61909c70c2301f5b17d5ea4fe
SHA512 c027e6401d8490c0ea93c61b0cc4b43dd0d4c888b8e09d439161bdf4f855655c4a25654259888a1c8040cec23efe5739de3d5bebebb76cb4a01d80482aecdef7

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS472166D6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2172-204-0x00000000050F0000-0x0000000005112000-memory.dmp

memory/3616-205-0x0000000000000000-mapping.dmp

memory/4224-203-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2172-207-0x0000000005310000-0x0000000005376000-memory.dmp

memory/2172-208-0x0000000005B30000-0x0000000005B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3BIPE.tmp\Sat080cfbcc640c1c7.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/1504-209-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8UDB3.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4900-211-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

memory/4900-214-0x0000000000F30000-0x0000000000F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

memory/4224-216-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4900-220-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/1108-221-0x0000000000000000-mapping.dmp

memory/4280-222-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 783110ce4db93e7d833819276da3734c
SHA1 88bcddf56337a5771974088b3c10c6b4e36e5676
SHA256 4e7640d4b2f949f0fbec5bc4232d54ae152e7c94233cacded956df75cd0b99a6
SHA512 280118ebe3fde9ec576fb704ba12d10eab54da0b501ff3bacf6874a6af354da113f5687dc045acb23d4576af3219adb05b7b5c732bb3ff7dc4ada0abc848fb4c

memory/4280-228-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1108-227-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 783110ce4db93e7d833819276da3734c
SHA1 88bcddf56337a5771974088b3c10c6b4e36e5676
SHA256 4e7640d4b2f949f0fbec5bc4232d54ae152e7c94233cacded956df75cd0b99a6
SHA512 280118ebe3fde9ec576fb704ba12d10eab54da0b501ff3bacf6874a6af354da113f5687dc045acb23d4576af3219adb05b7b5c732bb3ff7dc4ada0abc848fb4c

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 4aeb9d22421a08cd6aeab4bbfe60c009
SHA1 e2b43b914d923c78bab93ef37f78d5b1daf8b9a0
SHA256 2982a6c0966b112bf77f7331716f456c96f87b518d150c178d12bb2c33c8aaa5
SHA512 6153fa3f8e0b5c6b470983893ae9d04b443b1eb369b32095b60af21feec96ad22293deb9a592dbb84c9ae0b21e4e4761f1fb4feae4faf927a452ede24482636e

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 4aeb9d22421a08cd6aeab4bbfe60c009
SHA1 e2b43b914d923c78bab93ef37f78d5b1daf8b9a0
SHA256 2982a6c0966b112bf77f7331716f456c96f87b518d150c178d12bb2c33c8aaa5
SHA512 6153fa3f8e0b5c6b470983893ae9d04b443b1eb369b32095b60af21feec96ad22293deb9a592dbb84c9ae0b21e4e4761f1fb4feae4faf927a452ede24482636e

memory/1720-229-0x0000000000000000-mapping.dmp

memory/4280-224-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2172-232-0x0000000004DF0000-0x0000000004E0E000-memory.dmp

memory/4260-223-0x0000000000650000-0x000000000067A000-memory.dmp

memory/4280-219-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe

MD5 03300b966016a0d8d6e1c1c2cb553a1f
SHA1 8c04004a4b58bbf51267f12eb81ff0a351f3e052
SHA256 8ad86028d1df01a6a9029d5f3a931657cb2fb8c7fa43f674f5d660d91f2346c5
SHA512 c5f7c79681f65e8e6408654304c84b7455e34a9cdca16947fbc80fd25ce5f91ef7c1c7fdbbd47f1ae68457eb81edda604712dd67775d2e88ce538ca23d97bafa

C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe

MD5 03300b966016a0d8d6e1c1c2cb553a1f
SHA1 8c04004a4b58bbf51267f12eb81ff0a351f3e052
SHA256 8ad86028d1df01a6a9029d5f3a931657cb2fb8c7fa43f674f5d660d91f2346c5
SHA512 c5f7c79681f65e8e6408654304c84b7455e34a9cdca16947fbc80fd25ce5f91ef7c1c7fdbbd47f1ae68457eb81edda604712dd67775d2e88ce538ca23d97bafa

memory/4260-215-0x0000000000000000-mapping.dmp

memory/1504-235-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/2700-233-0x0000000000000000-mapping.dmp

memory/1108-234-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5 3f85c284c00d521faf86158691fd40c5
SHA1 ee06d5057423f330141ecca668c5c6f9ccf526af
SHA256 28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA512 0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

memory/4260-239-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/2700-238-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5 3f85c284c00d521faf86158691fd40c5
SHA1 ee06d5057423f330141ecca668c5c6f9ccf526af
SHA256 28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA512 0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

memory/816-241-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5 e511bb4cf31a2307b6f3445a869bcf31
SHA1 76f5c6e8df733ac13d205d426831ed7672a05349
SHA256 56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA512 9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

memory/5024-243-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-9GGJV.tmp\setup_2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-9GGJV.tmp\setup_2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2700-246-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 1bfb5deb08ebf336bc1b3af9a4c907cc
SHA1 258f2de1ed1f65e65b181d7cb1f308c0bb1078de
SHA256 477b4e6c8eec49e7777796751d1fdfd4a6efe47be63a544a0aa9d5f871d7b3f7
SHA512 5f5e5a32c911642c4be0d4eb00b02b47c62b2c621ece214447f0b78d0c15bc96c2489ef78685c5f0dd9f4167c614334eefd78c0bdbbd3cb3f7f6143933594f16

C:\Users\Admin\AppData\Local\Temp\is-61O3D.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 1bfb5deb08ebf336bc1b3af9a4c907cc
SHA1 258f2de1ed1f65e65b181d7cb1f308c0bb1078de
SHA256 477b4e6c8eec49e7777796751d1fdfd4a6efe47be63a544a0aa9d5f871d7b3f7
SHA512 5f5e5a32c911642c4be0d4eb00b02b47c62b2c621ece214447f0b78d0c15bc96c2489ef78685c5f0dd9f4167c614334eefd78c0bdbbd3cb3f7f6143933594f16

memory/2884-247-0x0000000000000000-mapping.dmp

memory/1972-252-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5 e511bb4cf31a2307b6f3445a869bcf31
SHA1 76f5c6e8df733ac13d205d426831ed7672a05349
SHA256 56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA512 9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

memory/4260-255-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/1972-254-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2700-257-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5 3f85c284c00d521faf86158691fd40c5
SHA1 ee06d5057423f330141ecca668c5c6f9ccf526af
SHA256 28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA512 0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

memory/1972-258-0x0000000000400000-0x0000000000414000-memory.dmp

memory/528-259-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-OBF09.tmp\setup_2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-OBF09.tmp\setup_2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5 e511bb4cf31a2307b6f3445a869bcf31
SHA1 76f5c6e8df733ac13d205d426831ed7672a05349
SHA256 56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA512 9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

C:\Users\Admin\AppData\Local\Temp\is-UVUQA.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/680-262-0x0000000000000000-mapping.dmp

memory/2172-265-0x0000000007020000-0x0000000007052000-memory.dmp

memory/2172-266-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/2172-267-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/2172-268-0x0000000007A00000-0x000000000807A000-memory.dmp

memory/2172-269-0x00000000070A0000-0x00000000070BA000-memory.dmp

memory/2172-270-0x00000000073D0000-0x00000000073DA000-memory.dmp

memory/2172-271-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/4900-272-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/1108-273-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/2172-274-0x0000000007580000-0x000000000758E000-memory.dmp

memory/2172-275-0x0000000007680000-0x000000000769A000-memory.dmp

memory/1832-277-0x0000000004940000-0x00000000049DD000-memory.dmp

memory/1832-276-0x0000000002DE9000-0x0000000002E4D000-memory.dmp

memory/2172-278-0x0000000007670000-0x0000000007678000-memory.dmp

memory/1832-279-0x0000000000400000-0x0000000002D0F000-memory.dmp

memory/4920-280-0x0000000002CF0000-0x0000000002CF9000-memory.dmp

memory/4920-281-0x0000000000400000-0x0000000002CB4000-memory.dmp

memory/4920-282-0x0000000002DE9000-0x0000000002DF2000-memory.dmp

memory/1972-283-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1720-284-0x0000000002DF7000-0x0000000002E12000-memory.dmp

memory/1720-285-0x0000000002DA0000-0x0000000002DCF000-memory.dmp

memory/1720-286-0x0000000000400000-0x0000000002CC7000-memory.dmp

memory/4920-287-0x0000000000400000-0x0000000002CB4000-memory.dmp

memory/4900-288-0x00000000038C0000-0x00000000038D2000-memory.dmp

memory/3444-289-0x0000000000000000-mapping.dmp

memory/4388-290-0x0000000000000000-mapping.dmp

memory/1832-291-0x0000000000400000-0x0000000002D0F000-memory.dmp

memory/2464-292-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

memory/4900-295-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/1832-296-0x0000000002DE9000-0x0000000002E4D000-memory.dmp

memory/2464-297-0x00007FFD66190000-0x00007FFD66C51000-memory.dmp

memory/1720-298-0x0000000002DF7000-0x0000000002E12000-memory.dmp