Malware Analysis Report

2024-10-19 02:13

Sample ID 231230-p42c7acden
Target 1923715e6214c54be40797c3d821fbfc
SHA256 d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
Tags
betabot fabookie gozi nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor banker botnet dropper evasion isfb loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548

Threat Level: Known bad

The file 1923715e6214c54be40797c3d821fbfc was found to be: Known bad.

Malicious Activity Summary

betabot fabookie gozi nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor banker botnet dropper evasion isfb loader persistence spyware stealer trojan

Fabookie

Gozi

Detect Fabookie payload

SmokeLoader

Modifies firewall policy service

Vidar

PrivateLoader

NullMixer

BetaBot

Vidar Stealer

Looks for VMWare services registry key.

Sets file execution options in registry

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Checks whether UAC is enabled

Drops desktop.ini file(s)

Checks for any installed AV software in registry

Maps connected drives based on registry

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of UnmapMainImage

Modifies Internet Explorer Protected Mode

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer Protected Mode Banner

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Modifies Internet Explorer settings

Runs regedit.exe

Creates scheduled task(s)

NTFS ADS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 12:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 12:53

Reported

2023-12-31 22:14

Platform

win7-20231215-en

Max time kernel

150s

Max time network

169s

Command Line

C:\Windows\Explorer.EXE

Signatures

BetaBot

trojan backdoor botnet betabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Gozi

banker trojan gozi

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare services registry key.

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "lcusvl.exe" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "idhusalyn.exe" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "ayrkllxwp.exe" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "sfaywpxbc.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ou37cg1s1e7ee9.exe C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ou37cg1s1e7ee9.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "kqoggxylu.exe" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "gifupgkum.exe" C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21dd3b887a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21dd3b887a3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\ou37cg1s1e7ee9.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\ou37cg1s1e7ee9.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\ou37cg1s1e7ee9.exe\"" C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Java Updater\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe:1BB7FB68 C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe:1BB7FB68 C:\Windows\SysWOW64\explorer.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21ab69e87d0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\45D6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2024 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1264 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 872 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe

"C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "37971888-18101947591451164234396784681-1928376552-24589537411389220521182254349"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2122551802-1232081075-11498373222774246935904209191855246084-7451386261169582941"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21caad43cbccfb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21dd3b887a3.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe

Sun218856081dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21dd3b887a3.exe

Sun21dd3b887a3.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21caad43cbccfb.exe

Sun21caad43cbccfb.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe

Sun213b31a7e71d4cf6d.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe

Sun21688b2b2b63.exe

C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp" /SL5="$6017E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe"

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe

Sun211972de1e.exe

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21ab69e87d0.exe

Sun21ab69e87d0.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe

Sun21cfc7686a.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun213b31a7e71d4cf6d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21ab69e87d0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun218856081dd1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21688b2b2b63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21cfc7686a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun211972de1e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 940

C:\Users\Admin\AppData\Local\Temp\45D6.exe

C:\Users\Admin\AppData\Local\Temp\45D6.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\5764.exe

C:\Users\Admin\AppData\Local\Temp\5764.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 640

C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe

/suac

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\SysWOW64\regedit.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\OU37CG~1.EXE" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 the-flash-man.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 theonlinesportsgroup.net udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 remotepc3.xyz udp
NL 37.0.10.214:80 tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 8.8.8.8:53 best-link-app.com udp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 varmisende.com udp
US 172.67.145.41:80 varmisende.com tcp
US 8.8.8.8:53 2no.co udp
NL 37.0.10.244:80 tcp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp
US 8.8.8.8:53 update.microsoft.com udp
US 20.109.209.108:80 update.microsoft.com tcp
N/A 127.0.0.1:49326 tcp
N/A 127.0.0.1:49328 tcp
US 8.8.8.8:53 cuckoldlover.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 cuckoldlover.com udp
US 104.21.68.235:80 cuckoldlover.com tcp

Files

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 25f9b6f64d4c687c6f5c5003a1ce815c
SHA1 76acfabdea71c81c7e79fa685b3d71a0299f6fdb
SHA256 6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c
SHA512 5822d82c41da4bc25a06c140d95cc08a0c9fb79717356d8b562ede85c9f7969aa67a02fd8b55a450e8e4e1c5852032ee057a42062ee37d79a34c5adb7abb4732

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 83fdecf88fb53ebd4d7b16b5082a7945
SHA1 7adf1732a2dd381450b0262cd7a31b869c12a2f3
SHA256 fd067ec1002837ed803ce93c057130400feedb16a94c5e03a7e95c33a94cf02d
SHA512 2227da08b84207105080cdd83595e6d95e0894367e733046bfe35dc9cbbf80d916e467ff78e3bf17e2b6ae694ac9b4c7b9c0d45435ca0a18a8159bbb5d5b9516

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 adc2e822dbf9f242a04cc26c62b7f8e0
SHA1 7d2683956bdd3926c0d451b24aa966d0d59626ea
SHA256 832dbf2fcd5c59b7eb5693c9fc6cf5c80ce418e1db2b8f7d2e2862eccd557e03
SHA512 067ac1a1e8f8ca532e112077721b95a94a38068773ec4d9d9d1371bca09899ce199089a9d2e47bc090135150bf7200e443e6def0bb1854fcf82ea0251aef0463

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 60e5850a306c83db8d8d68cbca677b39
SHA1 bd6fb96034507d3543c2ec79c3306b2acac7aebd
SHA256 dd315234390d41354879acd1ad72618992de14629c4470161bc9aed23ec60282
SHA512 3cc4b558208a16b6744aed49bf66385d4cf5707099e63d08f93d48f4068627988b60c05f310e61a3af0a8453beb48ef163c2d0702f90c88c8550e1f6dd8f2ca3

\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 649a3c76b404839c777302b9f5db1cdc
SHA1 97cf0a4ce0e23c91c0a19e69d514e1d683871c1b
SHA256 91024882dfbd523dfccbc21b341358bad0db3c2eadbc42b91bb85a9424695302
SHA512 e349f05c4b5f8326d873f1aff833dfc576cd425de8b82252afba69dd8ef189e01eeefc5e886fd8f00b1b6ad73059d6285d7e5440cb825711d60beb411296fb73

C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 09a54db9fd1725815d24dd040695182c
SHA1 12381af69bd7041e77771ba8b669b70f47b0d87b
SHA256 1e3ac30cd0095e63dfcb181c8d879f449cc6430e55276e89c772ef024d4d29cb
SHA512 18f7ee0c17ad26531ec7a579f744b07f3f2357b77377f7f0710ee38709f0394d0278234a6a8c69428c2e4e040f9c3d17995236cd8a4205af60b4e60704bf6dae

\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 4c65372e6923c620d557d3b25afbb8d1
SHA1 0966884ed3221ceb4364e0a96a9c2062bda3c56d
SHA256 05ed6b6be3bf9eefaebe0facaf2047ab2c6a31f009c61305d909d77cbed43516
SHA512 9b99c99a7019ded692b6d17cecfaea0e45009b64f6adc281beda22b67704b5f0170067807d8d131c5cd9192bb0d313eef8c61ce219edeb23540402a73255a152

\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 2f516c4ba090712e3c957ecb9a2ce358
SHA1 023ba895b5055c9ce0e15b93022cacac88b64f29
SHA256 28b89bb865b3593bc179b7b0d150dd5743d931ef5ba951f803405ee192ae9518
SHA512 02e1adb68f8c604bc37133718cb8e61fe9ffb5e4f2e4224d8734d49213d118508f2f9ee47ed67aea8e88d83e2c943dd9cc55772faac51a5c192f64f847b23bef

C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 aae90e09af8e064999e0545c3e233928
SHA1 4d9da192d20cc4817832199c0cc5fe8db7ad5a56
SHA256 21f01e500de17542168aba8f6a41711481c434bdd3567d70d87fdcc4c0f3241b
SHA512 14b34f0277ccf68155d9b5f5f23f7bc4f34241b96f21dfe25412cd3ed3e23f3e2b248af6ab551bc6645bc9e208f7938885f634cbe6421106134100fb90e88a43

C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\libzip.dll

MD5 81d6f0a42171755753e3bc9b48f43c30
SHA1 b766d96e38e151a6a51d72e753fb92687e8f9d03
SHA256 e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723
SHA512 461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1

memory/2232-40-0x0000000061880000-0x00000000618B7000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\zlib1.dll

MD5 c7d4d685a0af2a09cbc21cb474358595
SHA1 b784599c82bb90d5267fd70aaa42acc0c614b5d2
SHA256 e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc
SHA512 fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 1398bea075b8b0a6f77fc685ac62030e
SHA1 986c8b78ab44cfd5213ec8335d10b99398511c2f
SHA256 09358432675d42eb77b0684679ef6848b5c3b404f24d75ec7d34706ad35b3514
SHA512 8eae0131c0390d59190c8f7b25c4e94d9ad155e05fbc7e5b146c058356413f767978875c70693dd219ece2d869314e81cac94f2dc97389a1af298719e0505043

\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe

MD5 3a811b1ec64b2e40aa0e0c13d3811afa
SHA1 b2c2c797477db495e059f17def6f6023276f6e84
SHA256 e626d50589c384d019c47cef88421055589b5a90ee54f0029a22cebf35f1ddac
SHA512 6a1dbea4ea48b3871c2211f62f87ed194488221d29f3b93f9a4b7fcbb90587e541c0ccdf2011f3d0244e5c7b4f239f628a4447ace1629a7a7037347270b52224

memory/2232-49-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/2232-48-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/2232-51-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2232-47-0x0000000000400000-0x00000000007F0000-memory.dmp

memory/2232-52-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/2232-54-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2232-53-0x0000000061B80000-0x0000000061B98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 6dbfa47852aea91ca1b425a84bb6bd94
SHA1 1a9da6f3e438aae201f511e16a16bc9b5821781b
SHA256 57b610ea0a86a884d3fa18360231717352cd39d744137b47e162153ff736ddfc
SHA512 a842b2e210a71119b82150be6cf5f517419dcd528342c4ea0a52411707066f6c45aabe292d8c5d8a52efe57b78a812402a72792bd8f193f8c713bf7b79b07e6d

memory/2232-59-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2232-60-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/2232-61-0x0000000061B80000-0x0000000061B98000-memory.dmp

memory/2232-62-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2232-58-0x0000000000400000-0x00000000007F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 d17a1e7da8aabca9f84a28ce089693a6
SHA1 75ea7efa9ddd16bd59f1c5613465d4400d65d2e8
SHA256 2cc706df44d700762e7b0c7edac152a9325697e2aac7b75f8dd1b42af81eef0c
SHA512 261f13e977ce2f56d3b40fbc83de9cca5033a726b1b3dff5fc2c9abf8cf5aa964a9b4d7eeca6f59219226b46446b013a44803b8d38bb0e446bab17d702b08bde

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 1f30923895a7f4cb76e8a1c2605153dc
SHA1 d6f29ec090a26854f15831e442d198c6b487d38f
SHA256 62d6d3b216bd58ee0c5da0219354e5f517367fa9edc3f9ad198fc46856f425e0
SHA512 d7a37b602d7636bcdb6cae8dbc5aee6d2d2a5edcfb856b3c886392493696c49a48e7d092614b6021f4b138677bbb98b52e9def030e3af7144655b4760322de24

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 292aa755e05ab5abf57f1d6e0e71aa34
SHA1 5f6ac09f36371851d5a3f85f2f1c9c5f535b7966
SHA256 a5cb2e26afa1da7f1b541bd04c092238d92352c741c48d3fe0c3a79e2615bf95
SHA512 d0c5aea8c3da68322a9d35c1ec7fb0ea98196787e03b2947a00af0762da75df4d25599a09ae7378868607a5b71e094ad349eac8a447ea74e24378bcb8aedf1ac

\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 02413b655b11a6b829097acdc8944926
SHA1 875f656c59eabec1393c5451f40caac2c249a8d8
SHA256 cd87cb4df570b841d4cac29284b38542d7bdd478c4ed7975c088782fdafc028b
SHA512 490f7e0a847ff887c6d39e86031399cddfc54f5f64d9bc3b9caab5b3c541654d6ee0ee0ce288dcb6c920df578753e1f3772a0bfbe2e7611170f5338da4818c41

\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 3268c701dd22c6e40dec9d5efebaeb69
SHA1 62896527d8738fef8672c7eca65b597fcdccc2da
SHA256 491435414def768691048aaf738abeac0f976bcb954fc7057b37914b089c1b68
SHA512 885d96c88edc612d85447c914b6e616cd768926aebc0e3a7268917e32d68bf1f80befd01fe21be426f56608412bc1fb4a780189d394f4db2dd9f7071e7a109e1

\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 325c121385d6c456f8a806b598ce5f06
SHA1 960d9d40bfd606f52483d917a6fb86bd00edd5e6
SHA256 a7d937d862f5673b1d31ce3f4695c873cf62518a613b7891698502d9edaa9ee2
SHA512 8e905131b3a809221d40f9338e6beb64869ef106eda657ba70059f5cdb31bea371234724bebb0d34ef5c091b8a867587d8dd3e2b8584d8501eba72f6e4811b22

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 3c1c54dfef61c98285442b1339c7f0b6
SHA1 ca29b94195aadb3512fe647991382bc5875be547
SHA256 01346c35cce21a603750e9da5c4d4671af061f45e6212ffba2655d006630a81c
SHA512 06fa57a7dc6174d1c051152e49a3c30a3f471abd174c697aacfc9d942e44fc40ac5182300263dc9ad56168fd2e0c12eab1d3e194de97d85b242d84eb77d2ecba

\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 c16b8d9e1ada81ad2b98cd37d0659f69
SHA1 e6b24c4c4f77c06042e369ee1fadd353ab2ef84b
SHA256 5e3ad58937b44b439754113efb6f91bffbc51a257a7d86768f3db905af8c8dd3
SHA512 67d18112b6140959d29a74e262bc5ac29659c4700ca280ff8185f86cd1469d6bea4f55c946f976c2321d4326fecbb91a1cfc242e789823ff8866d9e034ed0e7f

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurlpp.dll

MD5 47dea1984cebcbd7490a0e76a1e763fd
SHA1 6ee79868a6a8d04d8f0dfe013f97e368f1652f9e
SHA256 d858073760e07d8e417e8e1e4ce293ddd840f1c8d499339ed7be6e9e147b2a09
SHA512 69a0ba5dbd69db8359ad26e051d3512429f79a51d4324b991d04970ba62f797a0e5995c03b8f823c1e12aed260d432f0278196c63649a54ef3591bea3a7ec202

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurl.dll

MD5 bdbfbec2bc57aacc08d2a0464c4ece17
SHA1 ce5cc18c538375a835e718d60b8332ce97f4656d
SHA256 401bc585c547633716284af6ce8729edcce0cd21c6f0980a9ff6808458ed24d9
SHA512 a9ffb5a22502541a367ec672f61b7b0c70c889ab4774250b272ffb6c8cb166aeb993943b5d0d1b13d4d54192daf14786f9e34b1a8c23ce791df6ceff5bc592df

\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS863504F6\libgcc_s_dw2-1.dll

MD5 59c7584dbcbe186106d0470825d1101c
SHA1 2fcc4962c78a13bbdd1e918b35dfcdf1038e1cb3
SHA256 04160391a0d3c04af8d5b51ac435f0abaf06dfea32874e079488599197e8d7be
SHA512 93998bd4d44d899632ff3b166b6fc858f03b71c1c60384568381a592790092e3e1b35911925d3ffd10ee7da9f7b3fa2b8b0370e649325e14c81f85b3fdf11805

memory/1020-116-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libstdc++-6.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libgcc_s_dw2-1.dll

MD5 4cbe6faf53b6ad9c5784e794080c948e
SHA1 8fe51b03c7deb52add43ec9afd0d7615bf39516f
SHA256 a822846684a82cbee25039136b09d46452c8dd20faa16507ff37a1960e9ee415
SHA512 5d8b5bd6e83c0ecf1d27ca221d9e4752e7a33c468ea0abd72a6ca789e9d3a0b0545fc2ec901c1ce66c696a151a46fe96fe9f16bb6e404e59b2951b774c37531e

memory/1020-124-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 87352d37445ee863568b049ae9b8dcff
SHA1 635c0c9adec1f3fdb0993641a20900d064ad6293
SHA256 843b12756b6a8de40b0772d06ed8ac4a6468818f779b205842800993721ad4d7
SHA512 846619e472417df347eea7650e6f9f2aafd5b92a7ff0ed2f365ba6aad022f8aff7d8308d586c76435d3a631454dde456e585e612f4a629930543315b2d718bfc

memory/1020-125-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1020-127-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1020-126-0x0000000064940000-0x0000000064959000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 d23c15cf874b78323b80378d5648b702
SHA1 24b1ca6660c9fd96ecd24c177782f9ca0c992cc2
SHA256 97406c0cfe432d75437e8579ef022e04e86b486099e1e0efaaec5ef0460cde97
SHA512 24caf43115d25ee8a18ea1196c2ff4b91ecb515f40a06dae3f57756529747c779bae411b8b86e8f5c4d99c3b85457319fbc66abd6f6ee433f2703527993dea27

memory/1020-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1020-130-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1020-131-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1020-129-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 8ab13b03e7b98e86240e44e735e655da
SHA1 359604e0c20f9136a7ff226de970af3b6c372786
SHA256 fcd62624e433cab2f70d608e8b4923af4c077e9ea7f66bc90eeb3f6ab127ebdb
SHA512 04095d403c556f4e1740926f6eb9ba9263bf7425505f56479e811ba9258998e238857f2dc778af949e272a386e08ee87f67af4bb66eee0b280e28c46663f0103

\Users\Admin\AppData\Local\Temp\7zS863504F6\libstdc++-6.dll

MD5 54951b8f577ad139d42643df3432c642
SHA1 e465aee6a09e1f1533e5bd93957cff24f7703ee8
SHA256 f250c7c8e2605c3fcac44cf461abbf755fbbd002a0c628a48ff592fd923481e2
SHA512 84979c66d84cc93076d48b175123d51e5947caa4d26ec96cab8a139295f32922eb75733dd680478d67ebd12c072a87941982a0fa39c711a5021c8cc071f21691

memory/1020-120-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1020-113-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1020-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1020-132-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe

MD5 03c2f9b0e8fafa157b1887270fe95835
SHA1 f7acaf58ef168e5a1026235a68d3d2d94e11f24f
SHA256 f3f46b09ffe56f971e0b393e237fcb8fb5297cecccf9ad062be0b1cbdf0b3e11
SHA512 5516c90cbd1e9a3e54378bcbfd8c3e162c1e6c4905259f66ae5c3e4ad4678fdcf58a772f6776e89827fa73538620787154b8dbd4e4950b81feed63eb92b9bfcf

\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21ab69e87d0.exe

MD5 7b9b0197f1ed02fd7830a7e588a1c7a4
SHA1 732474ad1ee1a9c533d18f02e8dec4e1256a74e1
SHA256 376c4d62f6922dfcfb27c519f56d39ffbffbb82666cb2e4c96578aa1e6321523
SHA512 dca1df9a2af2a9ebcc5bbfb75d2b4881d41f22ff928131a6079ba986b1d3fe289c2850e96478221140789a82a8006239a7a13d782148d89cd843da97361bdeb7

memory/2284-156-0x0000000000240000-0x0000000000249000-memory.dmp

memory/2284-155-0x0000000001F30000-0x0000000002030000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe

MD5 00231d0a42cfd229467e7fa194362e18
SHA1 ed2f41c5155145265040e70914a764559a0b4132
SHA256 57ce8165d1373365ebb5ddf30bad2ab568b9c0cba6a47fdcbb6a276eccc80035
SHA512 2acb2b9c2e2916abe2c03f312ba32d7a4856be98635c6be4c55952bd7be59160c9561293c9151679af0e98303628f8fc1dd1913f8e2c9b240d1f40c5184e523d

memory/2460-161-0x0000000000260000-0x0000000000268000-memory.dmp

memory/3040-163-0x0000000000990000-0x00000000009BE000-memory.dmp

memory/2284-164-0x0000000000400000-0x0000000001D81000-memory.dmp

memory/2432-159-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2432-167-0x0000000000400000-0x000000000046D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe

MD5 57506c6106f4c4e9b795d68f247a7bf0
SHA1 937d9694d68082c8d12fc0d31965514c881e2eab
SHA256 11577fc5b67317c24be99806ce1d5a41b5eac4dc96d1eb23983e1bbea2d003e4
SHA512 bbc0ad52ca09ecf4d4bc23ed68b1d02a6b47771ff7f6a4fa2a62e6ce4301385d0771f3fb4a9cd8330bbf712b3d41b14f1f1608aed45a12a2850239ee897b1636

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe

MD5 abea1f518f0b3957a1755eae02698ca3
SHA1 b3130e09832595c47cfb06a883388fabdd5bc488
SHA256 1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d
SHA512 ee7dd52b1941e64d08eb036839fde49975246c4564aaae577252f988586bf52c1ac59de81ea28cedeb06b723a9317ad1c60fa1ba4c42b7dae6e0cea8405ddfc5

memory/3040-177-0x00000000004D0000-0x00000000004F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe

MD5 b7b57d1b09e9e10cf2d6871bc2556b7b
SHA1 b021d7f2b0b4be5444bf1765693952812c0aa698
SHA256 b747158d6d60ae7cae3a48166cb859f5784c4309c56399a8ef96afdc0eac51fb
SHA512 dabec9ee3af5c1125f77b2e589a071cf56359b4fcae086ce6ff96ebec66c0e2d727effae89c123a7e41a586f59e6079cbe88cda138724cefcec0cfc120d4d130

memory/1944-180-0x00000000002E0000-0x000000000037D000-memory.dmp

memory/1944-179-0x0000000001E80000-0x0000000001F80000-memory.dmp

memory/3040-178-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/1944-181-0x0000000000400000-0x0000000001DDD000-memory.dmp

memory/2460-182-0x000000001B240000-0x000000001B2C0000-memory.dmp

memory/2460-183-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21dd3b887a3.exe

MD5 4ccf258907da9de70654700637f0fb0e
SHA1 c4a11495395682335ca47231933e0e905570fc81
SHA256 5c958ed7d29299926d999259dd7f1fa1d1be0327f5863a9f2d55ad3e18d2962c
SHA512 dd39a1325631402913cc96bc7d52c5dc37e76d22ecbf0439a6631bee7a31ea02d168d221674edf23af10ceea68c2cea9796e4772a855637b7c92d42fed88d1ea

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21caad43cbccfb.exe

MD5 35ff3d256c2187bcbdefe0ba950b88a9
SHA1 008ec2462e77bba503b07ce1c4ba0cee11453951
SHA256 08270af17f9250454cd6a664c2f12b620d63056e5f256ce77ca8b80b080a4be3
SHA512 defa6d581540187658c06dcc26fa4e82a4059e9af6d55ce8ba240a06fd0b9a0c06b52acea99a775c2b786e1afcfaab65ee18a7e44ab2a80c9292dac2576404b6

memory/2352-184-0x0000000073B30000-0x00000000740DB000-memory.dmp

memory/3040-185-0x0000000002140000-0x00000000021C0000-memory.dmp

memory/2352-186-0x0000000001ED0000-0x0000000001F10000-memory.dmp

memory/1020-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 248eba82159ad2e2d2e6a578d59dfc46
SHA1 75d691a1d2953e4c8dc5edbcfe540c7e330ac291
SHA256 82096b9435eace564e4814e293b6a02f33140742c92e963c6a063900bf50f6bf
SHA512 d847a6b0099f74f5722df163d988cf00de384e053208873a58eabc161fe60d9ebb4c8d6eb0fbfe7711ddc4d0f249812c8d4978055ab5fa4fec7c78b522967544

C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe

MD5 f33fc9240535b5b7d01d3eac2a8fc8f3
SHA1 76fad1a309a4165fdae5ae120d8cabbe280c4d8c
SHA256 4e85338cd1cf6a4dbc0704f278e84090f27aea53e3f7d775ee341ef7d6b12071
SHA512 c83fafc54286a08024fcf7155265cd8fd9bb13f4fc25f3d38cdc19820061a0bb61098523f66ebf99b84a3d19ec152a3e21ba62e82e556be7b565e8f3711eced9

memory/1224-194-0x0000000002A40000-0x0000000002A55000-memory.dmp

memory/2284-195-0x0000000000400000-0x0000000001D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2C1.tmp

MD5 050ec2eee0771f1c7a792655e491fa02
SHA1 fc91e4f6a1a9b8a74f55df010afdb826bc42e159
SHA256 964aecc9b2bde50305d7b77d5049553d2f5b69f112d034b090c7d3cf1ccc794b
SHA512 b86a6abdf902ecc4048fe89ab43d8651bfa6262dd9086a8fc118aab7797d3402cc6c8578b4742f65a96b0bff1f0ee0f0c9f90748288e3964719ccc1d62b5307f

memory/2284-200-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1020-209-0x0000000000400000-0x000000000051B000-memory.dmp

memory/1020-210-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1020-214-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1020-213-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1020-212-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1020-211-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1220-220-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2432-227-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar128C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1944-218-0x0000000000400000-0x0000000001DDD000-memory.dmp

memory/2352-251-0x0000000073B30000-0x00000000740DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45D6.exe

MD5 0c819dd27a128d9234daa3d772fb8c20
SHA1 d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256 ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512 f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7

memory/2120-326-0x0000000000010000-0x000000000006D000-memory.dmp

memory/2120-327-0x0000000000290000-0x00000000002F6000-memory.dmp

memory/3040-329-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2120-328-0x0000000000290000-0x00000000002F6000-memory.dmp

memory/2120-336-0x0000000077C30000-0x0000000077C31000-memory.dmp

memory/2120-335-0x0000000000320000-0x000000000032D000-memory.dmp

memory/2120-334-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2120-333-0x0000000000290000-0x00000000002F6000-memory.dmp

memory/2120-332-0x0000000001EB0000-0x0000000001EBC000-memory.dmp

memory/2120-331-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2460-338-0x000000001B240000-0x000000001B2C0000-memory.dmp

memory/1944-337-0x0000000001E80000-0x0000000001F80000-memory.dmp

memory/2820-340-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-339-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-342-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-341-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-345-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-347-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-352-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-354-0x00000000001C0000-0x0000000000284000-memory.dmp

memory/2120-353-0x0000000000290000-0x00000000002F6000-memory.dmp

memory/2820-350-0x00000000001C0000-0x0000000000284000-memory.dmp

memory/2120-349-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2820-346-0x00000000001C0000-0x0000000000284000-memory.dmp

memory/3040-344-0x0000000002140000-0x00000000021C0000-memory.dmp

memory/2820-355-0x00000000000E0000-0x00000000000E6000-memory.dmp

memory/2460-343-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2820-356-0x00000000002B0000-0x00000000002BC000-memory.dmp

memory/2820-357-0x00000000001C0000-0x0000000000284000-memory.dmp

memory/2820-358-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-359-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/3040-360-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2820-361-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-362-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/1224-369-0x000000013F650000-0x000000013FD15000-memory.dmp

memory/892-368-0x000000013F650000-0x000000013FD15000-memory.dmp

memory/1224-367-0x000000013F650000-0x000000013FD15000-memory.dmp

memory/1264-371-0x0000000000890000-0x0000000000954000-memory.dmp

memory/2820-372-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2820-370-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/872-373-0x0000000002CB0000-0x0000000002D74000-memory.dmp

memory/1224-374-0x0000000077A91000-0x0000000077A92000-memory.dmp

memory/872-375-0x0000000002CB0000-0x0000000002D74000-memory.dmp

memory/1224-388-0x0000000002A00000-0x0000000002A06000-memory.dmp

memory/1180-392-0x0000000077A91000-0x0000000077A92000-memory.dmp

memory/2820-396-0x0000000077C20000-0x0000000077DA1000-memory.dmp

memory/2188-397-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/636-399-0x0000000077C4D000-0x0000000077C4E000-memory.dmp

memory/2460-401-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/636-400-0x00000000031C0000-0x0000000003284000-memory.dmp

memory/2820-398-0x00000000001C0000-0x0000000000284000-memory.dmp

memory/1716-402-0x0000000077A91000-0x0000000077A92000-memory.dmp

memory/2820-409-0x00000000000E0000-0x00000000000E6000-memory.dmp

memory/2476-412-0x0000000000210000-0x000000000021C000-memory.dmp

memory/2476-411-0x0000000000E30000-0x0000000000EF4000-memory.dmp

memory/2252-410-0x0000000077A91000-0x0000000077A92000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 12:53

Reported

2023-12-31 22:15

Platform

win10v2004-20231215-en

Max time kernel

126s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Gozi

banker trojan gozi

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare services registry key.

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uq5qcoy755.exe C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uq5qcoy755.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "tdlsxhrbz.exe" C:\Windows\SysWOW64\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\97A3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\uq5qcoy755.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\uq5qcoy755.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\uq5qcoy755.exe\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Java Updater\uq5qcoy755.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Java Updater\uq5qcoy755.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Java Updater\uq5qcoy755.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\8B9C.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Java Updater\uq5qcoy755.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Java Updater\uq5qcoy755.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Java Updater\uq5qcoy755.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Java Updater\uq5qcoy755.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2984 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2984 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1984 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe
PID 1984 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe
PID 1984 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe
PID 4968 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1104 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 1104 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
PID 4416 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe
PID 4416 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe
PID 4416 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe
PID 2804 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe
PID 4516 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe
PID 1432 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21caad43cbccfb.exe
PID 1432 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21caad43cbccfb.exe
PID 1576 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
PID 1576 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
PID 1576 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
PID 2960 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe
PID 2960 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe
PID 2960 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe
PID 4288 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe
PID 4288 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe
PID 736 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe
PID 736 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe
PID 736 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe
PID 4720 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe
PID 4720 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe
PID 4720 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe
PID 396 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe
PID 396 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe
PID 396 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe
PID 4824 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe

"C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun211972de1e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21cfc7686a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21caad43cbccfb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21688b2b2b63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21ab69e87d0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun213b31a7e71d4cf6d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun21dd3b887a3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sun218856081dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe

Sun213b31a7e71d4cf6d.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21caad43cbccfb.exe

Sun21caad43cbccfb.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe

Sun21688b2b2b63.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe

Sun21cfc7686a.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe

Sun21ab69e87d0.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe

Sun218856081dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe

Sun211972de1e.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2804 -ip 2804

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe

Sun21dd3b887a3.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\is-8ATSR.tmp\Sun218856081dd1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8ATSR.tmp\Sun218856081dd1.tmp" /SL5="$17004C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1080

C:\Users\Admin\AppData\Local\Temp\8B9C.exe

C:\Users\Admin\AppData\Local\Temp\8B9C.exe

C:\Users\Admin\AppData\Local\Temp\97A3.exe

C:\Users\Admin\AppData\Local\Temp\97A3.exe

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1520

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2144 -ip 2144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 9772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1136

C:\ProgramData\Java Updater\uq5qcoy755.exe

/prstb

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1604

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2612 -ip 2612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1984 -ip 1984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1128

C:\ProgramData\Java Updater\uq5qcoy755.exe

/prstb

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3288 -ip 3288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1080

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
N/A 127.0.0.1:53902 tcp
N/A 127.0.0.1:53904 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 37.0.10.214:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 theonlinesportsgroup.net udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 remotepc3.xyz udp
US 8.8.8.8:53 2no.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 104.21.79.229:443 2no.co tcp
US 8.8.8.8:53 the-flash-man.com udp
US 8.8.8.8:53 best-link-app.com udp
US 8.8.8.8:53 229.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 104.21.79.229:443 2no.co tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 37.0.10.244:80 tcp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 varmisende.com udp
US 104.21.71.125:80 varmisende.com tcp
US 8.8.8.8:53 125.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 a.goatgame.co udp
NL 212.193.30.115:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 25f9b6f64d4c687c6f5c5003a1ce815c
SHA1 76acfabdea71c81c7e79fa685b3d71a0299f6fdb
SHA256 6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c
SHA512 5822d82c41da4bc25a06c140d95cc08a0c9fb79717356d8b562ede85c9f7969aa67a02fd8b55a450e8e4e1c5852032ee057a42062ee37d79a34c5adb7abb4732

C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe

MD5 b5491eb6f1b1189534db9aa4c4534915
SHA1 19799e326bded5eb3674c3bdc2e55580c537fe38
SHA256 758f3cefec9a059f0933e897bc0c628fe2b7b56f670e95093225b706d18b928a
SHA512 e54fe8ce83d5510ff0d45a567252d879eb9b11cfa956c7957d4a3ec8937594a001021d159e88cdf875c56f8fb839e70704c5649ecbc2f3ce8938685fcb436663

C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\libzip.dll

MD5 81d6f0a42171755753e3bc9b48f43c30
SHA1 b766d96e38e151a6a51d72e753fb92687e8f9d03
SHA256 e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723
SHA512 461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1

memory/4968-38-0x0000000061880000-0x00000000618B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\zlib1.dll

MD5 c7d4d685a0af2a09cbc21cb474358595
SHA1 b784599c82bb90d5267fd70aaa42acc0c614b5d2
SHA256 e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc
SHA512 fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

memory/4968-41-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4968-40-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/4968-42-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/4968-47-0x0000000000400000-0x00000000007F0000-memory.dmp

memory/4968-48-0x0000000061880000-0x00000000618B7000-memory.dmp

memory/4968-50-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4968-51-0x0000000061B80000-0x0000000061B98000-memory.dmp

memory/4968-49-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe

MD5 e69948a6953a77464e92ac44fe945242
SHA1 d0b1569b0ca632defc74a6320658c0c1481f3ee1
SHA256 aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
SHA512 f14f8a41c2e5dad21908eae3494cc1db049e223b19186379256695825b9918813e4cd34d73f43eba36fdfbfff6608d50bf2b98dbd45f17c4b3136bc6087c2952

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe

MD5 3303b0c75753ea25cf206b81ad24816b
SHA1 12a6265214cf693af00d14c3b720731abd20fd1e
SHA256 4c1704c1b7f10a459017319b867377a68d67e194c692d46baa5d1fb233b50c59
SHA512 97677fb7704d360e5e042c36bc8fb9bcfdbb93b3e966a20a4370ebd5c7527589f7ff4937fb75aaf9744e01a3db12000f0ba6e2027b673cb6538a986e6ed2a18f

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2804-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2804-101-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2804-105-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2804-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-106-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-107-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-108-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-110-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-111-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-112-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-113-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2804-114-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe

MD5 57506c6106f4c4e9b795d68f247a7bf0
SHA1 937d9694d68082c8d12fc0d31965514c881e2eab
SHA256 11577fc5b67317c24be99806ce1d5a41b5eac4dc96d1eb23983e1bbea2d003e4
SHA512 bbc0ad52ca09ecf4d4bc23ed68b1d02a6b47771ff7f6a4fa2a62e6ce4301385d0771f3fb4a9cd8330bbf712b3d41b14f1f1608aed45a12a2850239ee897b1636

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21caad43cbccfb.exe

MD5 e113dae909b8fe86578d8558326d626b
SHA1 28d21842fce5df5dee1704eb4c28388c44860a53
SHA256 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512 d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe

MD5 7b1e08adae5f1373c4b845a09982d0a3
SHA1 4838a531872de3ed82dc9e191c9a582fb5ea530c
SHA256 e651a40b14c10f0c8ba9c4fb3cd648a04cad7f226e4a0a25664135e0ce5f4b52
SHA512 7d6e51eddccfa039ea5dbaffb19ed211a50dd86dece6f588d2466f35a00107be9fa137f7d795627799def8c399aaaac5670d9f2ae2fc7e601cb186e4f9e73641

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe

MD5 b0f998e526aa724a696ccb2a75ff4f59
SHA1 c1aa720cc06c07acc8141fab84cdb8f9566c0994
SHA256 05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898
SHA512 ea7388083b8f4ef886d04d79a862ad1d6f9ecb94af1267a9ae0932dbc10ef1046b8e235972eab2a4741df52981094a81329f107e6e44adebdf9e95d7c778d55b

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe

MD5 abea1f518f0b3957a1755eae02698ca3
SHA1 b3130e09832595c47cfb06a883388fabdd5bc488
SHA256 1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d
SHA512 ee7dd52b1941e64d08eb036839fde49975246c4564aaae577252f988586bf52c1ac59de81ea28cedeb06b723a9317ad1c60fa1ba4c42b7dae6e0cea8405ddfc5

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe

MD5 7b9b0197f1ed02fd7830a7e588a1c7a4
SHA1 732474ad1ee1a9c533d18f02e8dec4e1256a74e1
SHA256 376c4d62f6922dfcfb27c519f56d39ffbffbb82666cb2e4c96578aa1e6321523
SHA512 dca1df9a2af2a9ebcc5bbfb75d2b4881d41f22ff928131a6079ba986b1d3fe289c2850e96478221140789a82a8006239a7a13d782148d89cd843da97361bdeb7

C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/2544-134-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8ATSR.tmp\Sun218856081dd1.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/2328-140-0x0000000000820000-0x0000000000828000-memory.dmp

memory/2228-141-0x0000000000320000-0x000000000034E000-memory.dmp

memory/2228-142-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp

memory/2804-143-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2228-145-0x00000000023A0000-0x00000000023C0000-memory.dmp

memory/2804-146-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2804-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-148-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2804-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2804-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2328-150-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp

memory/2328-151-0x000000001B370000-0x000000001B380000-memory.dmp

memory/2228-152-0x000000001B200000-0x000000001B210000-memory.dmp

memory/2544-153-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3204-154-0x0000000002160000-0x0000000002161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9BJMR.tmp\idp.dll

MD5 783f37500b6f7b5e06d6852c5dc213d3
SHA1 ea197e6074b5e0a322f10f5dc348e7706732110a
SHA256 17260213d3fcdeeb32e9e5e6349d9e305db0f39f2b81ccf06cb5eae304e9489c
SHA512 28d08d714533cab41d6579b55d2e9c2d7767c4edf6721fd39a21bfe7c5e4bd592e2df32a0a99951b3b6be23a820ba92c712db211531f976de0c89a95b1f94ebf

memory/1608-164-0x0000000002010000-0x0000000002110000-memory.dmp

memory/1608-165-0x0000000001EA0000-0x0000000001EA9000-memory.dmp

memory/2756-166-0x0000000002080000-0x0000000002180000-memory.dmp

memory/2756-167-0x0000000001F90000-0x000000000202D000-memory.dmp

memory/1608-168-0x0000000000400000-0x0000000001D81000-memory.dmp

memory/2756-172-0x0000000000400000-0x0000000001DDD000-memory.dmp

memory/3204-173-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3204-175-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2544-176-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1952-177-0x0000000073190000-0x0000000073940000-memory.dmp

memory/2228-178-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp

memory/3488-179-0x0000000002FE0000-0x0000000002FF5000-memory.dmp

memory/2804-183-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2804-184-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-185-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2804-186-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2804-187-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1608-182-0x0000000000400000-0x0000000001D81000-memory.dmp

memory/1608-189-0x0000000001EA0000-0x0000000001EA9000-memory.dmp

memory/2804-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-190-0x0000000000400000-0x0000000001DDD000-memory.dmp

memory/2328-191-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp

memory/2328-192-0x000000001B370000-0x000000001B380000-memory.dmp

memory/1952-193-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/1952-194-0x00000000048A0000-0x00000000048D6000-memory.dmp

memory/2756-199-0x0000000002080000-0x0000000002180000-memory.dmp

memory/2756-200-0x0000000001F90000-0x000000000202D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B9C.exe

MD5 0c819dd27a128d9234daa3d772fb8c20
SHA1 d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256 ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512 f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7

memory/4628-204-0x0000000000010000-0x000000000006D000-memory.dmp

memory/1952-206-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/4628-207-0x0000000000900000-0x0000000000966000-memory.dmp

memory/4628-208-0x00000000005E0000-0x00000000005ED000-memory.dmp

memory/4628-211-0x0000000000900000-0x0000000000966000-memory.dmp

memory/1952-213-0x0000000073190000-0x0000000073940000-memory.dmp

memory/4628-214-0x0000000077DB4000-0x0000000077DB5000-memory.dmp

memory/4628-215-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/4628-216-0x00000000026F0000-0x00000000026FC000-memory.dmp

memory/4628-217-0x0000000000900000-0x0000000000966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97A3.exe

MD5 6c764b44fa70a6278585d73aa9628e92
SHA1 164cb720560831360e3387b49ce30661af5e00db
SHA256 70855a2ce47a41d098654191f371425f5cbe5ef427808672c8e9adbde9b921d8
SHA512 a9ce70f566a020759e1bc37f9bf704f88443fbb0b6a552e62ca4db0fee1c80caebec98bdaf037cd8eed89fe70646040335bb6ad36d38dacbdbe62c0f4a00fead

memory/1796-222-0x00007FF72F9A0000-0x00007FF730065000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

MD5 0badb0e573d95db49ac23c11163d9386
SHA1 d86dd20e4498ba5576272df07cd71dd9ed40bf8d
SHA256 5ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668
SHA512 a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8

memory/1796-229-0x00007FF72F9A0000-0x00007FF730065000-memory.dmp

memory/1952-230-0x0000000005020000-0x0000000005648000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nshA0FA.tmp\System.dll

MD5 dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1 c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA256 7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA512 4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

C:\Users\Admin\AppData\Local\Temp\lib.dll

MD5 bc94fe5f3a7d234dceefa5a25c109358
SHA1 eefd19123cb554bd975d9848eff08f195c7794bb
SHA256 fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4
SHA512 650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69

memory/4652-240-0x0000000070490000-0x0000000070BA7000-memory.dmp

memory/4576-243-0x0000000000130000-0x0000000000564000-memory.dmp

memory/1952-245-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/4628-246-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/4628-248-0x0000000000900000-0x0000000000966000-memory.dmp

memory/4576-249-0x0000000000130000-0x0000000000564000-memory.dmp

memory/4576-250-0x0000000000870000-0x0000000000934000-memory.dmp

memory/4576-251-0x0000000000870000-0x0000000000934000-memory.dmp

memory/1952-253-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/4576-254-0x0000000000870000-0x0000000000934000-memory.dmp

memory/736-260-0x0000000001330000-0x00000000013F4000-memory.dmp

memory/4824-259-0x0000000001320000-0x00000000013E4000-memory.dmp

memory/1432-261-0x0000000000BB0000-0x0000000000C74000-memory.dmp

memory/1576-262-0x0000000001250000-0x0000000001314000-memory.dmp

memory/396-263-0x0000000000ED0000-0x0000000000F94000-memory.dmp

memory/4516-264-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/2756-265-0x0000000004DE0000-0x0000000004EA4000-memory.dmp

memory/2144-266-0x0000000003C90000-0x0000000003D54000-memory.dmp

memory/2144-267-0x0000000077D83000-0x0000000077D84000-memory.dmp

memory/4392-269-0x0000000003940000-0x0000000003A04000-memory.dmp

memory/1952-270-0x0000000004A30000-0x0000000004AF4000-memory.dmp

memory/2144-268-0x0000000003C90000-0x0000000003D54000-memory.dmp

memory/3324-271-0x00000000032C0000-0x0000000003384000-memory.dmp

memory/1952-272-0x0000000004A30000-0x0000000004AF4000-memory.dmp

memory/4576-273-0x0000000000870000-0x0000000000934000-memory.dmp

memory/2756-274-0x0000000004DE0000-0x0000000004EA4000-memory.dmp

memory/1952-275-0x0000000004A30000-0x0000000004AF4000-memory.dmp

memory/1952-278-0x0000000004A30000-0x0000000004AF4000-memory.dmp

memory/1952-279-0x0000000004A30000-0x0000000004AF4000-memory.dmp

memory/1952-282-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/4576-281-0x0000000000870000-0x0000000000934000-memory.dmp

memory/4392-283-0x0000000077D83000-0x0000000077D84000-memory.dmp

memory/4576-287-0x0000000002B60000-0x0000000002B62000-memory.dmp

memory/4576-290-0x0000000000870000-0x0000000000934000-memory.dmp

memory/4984-296-0x0000000002140000-0x00000000021A6000-memory.dmp

memory/3324-297-0x0000000077D83000-0x0000000077D84000-memory.dmp

memory/1952-300-0x0000000004A30000-0x0000000004AF4000-memory.dmp

memory/4984-301-0x0000000002140000-0x00000000021A6000-memory.dmp

memory/4984-302-0x0000000002140000-0x00000000021A6000-memory.dmp

memory/2756-303-0x0000000004DE0000-0x0000000004EA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wuhkhssx.eru.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82