Analysis Overview
SHA256
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
Threat Level: Known bad
The file 1923715e6214c54be40797c3d821fbfc was found to be: Known bad.
Malicious Activity Summary
Fabookie
Gozi
Detect Fabookie payload
SmokeLoader
Modifies firewall policy service
Vidar
PrivateLoader
NullMixer
BetaBot
Vidar Stealer
Looks for VMWare services registry key.
Sets file execution options in registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks for any installed AV software in registry
Maps connected drives based on registry
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of UnmapMainImage
Modifies Internet Explorer Protected Mode
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer Protected Mode Banner
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Modifies Internet Explorer settings
Runs regedit.exe
Creates scheduled task(s)
NTFS ADS
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 12:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 12:53
Reported
2023-12-31 22:14
Platform
win7-20231215-en
Max time kernel
150s
Max time network
169s
Command Line
Signatures
BetaBot
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Gozi
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
NullMixer
PrivateLoader
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VMWare services registry key.
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "lcusvl.exe" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "idhusalyn.exe" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "ayrkllxwp.exe" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "sfaywpxbc.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ou37cg1s1e7ee9.exe | C:\Users\Admin\AppData\Local\Temp\45D6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ou37cg1s1e7ee9.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\45D6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "kqoggxylu.exe" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "gifupgkum.exe" | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\ou37cg1s1e7ee9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\ou37cg1s1e7ee9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\ou37cg1s1e7ee9.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\45D6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Java Updater\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45D6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\45D6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\45D6.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe:1BB7FB68 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe:1BB7FB68 | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe
"C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "37971888-18101947591451164234396784681-1928376552-24589537411389220521182254349"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2122551802-1232081075-11498373222774246935904209191855246084-7451386261169582941"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21caad43cbccfb.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21dd3b887a3.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe
Sun218856081dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21dd3b887a3.exe
Sun21dd3b887a3.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21caad43cbccfb.exe
Sun21caad43cbccfb.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe
Sun213b31a7e71d4cf6d.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe
Sun21688b2b2b63.exe
C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7JU9R.tmp\Sun218856081dd1.tmp" /SL5="$6017E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun218856081dd1.exe"
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe
Sun211972de1e.exe
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21ab69e87d0.exe
Sun21ab69e87d0.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe
Sun21cfc7686a.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun213b31a7e71d4cf6d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21ab69e87d0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun218856081dd1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21688b2b2b63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21cfc7686a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun211972de1e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 940
C:\Users\Admin\AppData\Local\Temp\45D6.exe
C:\Users\Admin\AppData\Local\Temp\45D6.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\5764.exe
C:\Users\Admin\AppData\Local\Temp\5764.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 640
C:\Users\Admin\AppData\Local\Temp\ou37cg1s1e7ee9_1.exe
/suac
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\SysWOW64\regedit.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\OU37CG~1.EXE" /RL HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | the-flash-man.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | theonlinesportsgroup.net | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | remotepc3.xyz | udp |
| NL | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | varmisende.com | udp |
| US | 172.67.145.41:80 | varmisende.com | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| NL | 37.0.10.244:80 | tcp | |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | update.microsoft.com | udp |
| US | 20.109.209.108:80 | update.microsoft.com | tcp |
| N/A | 127.0.0.1:49326 | tcp | |
| N/A | 127.0.0.1:49328 | tcp | |
| US | 8.8.8.8:53 | cuckoldlover.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | cuckoldlover.com | udp |
| US | 104.21.68.235:80 | cuckoldlover.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 25f9b6f64d4c687c6f5c5003a1ce815c |
| SHA1 | 76acfabdea71c81c7e79fa685b3d71a0299f6fdb |
| SHA256 | 6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c |
| SHA512 | 5822d82c41da4bc25a06c140d95cc08a0c9fb79717356d8b562ede85c9f7969aa67a02fd8b55a450e8e4e1c5852032ee057a42062ee37d79a34c5adb7abb4732 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 83fdecf88fb53ebd4d7b16b5082a7945 |
| SHA1 | 7adf1732a2dd381450b0262cd7a31b869c12a2f3 |
| SHA256 | fd067ec1002837ed803ce93c057130400feedb16a94c5e03a7e95c33a94cf02d |
| SHA512 | 2227da08b84207105080cdd83595e6d95e0894367e733046bfe35dc9cbbf80d916e467ff78e3bf17e2b6ae694ac9b4c7b9c0d45435ca0a18a8159bbb5d5b9516 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | adc2e822dbf9f242a04cc26c62b7f8e0 |
| SHA1 | 7d2683956bdd3926c0d451b24aa966d0d59626ea |
| SHA256 | 832dbf2fcd5c59b7eb5693c9fc6cf5c80ce418e1db2b8f7d2e2862eccd557e03 |
| SHA512 | 067ac1a1e8f8ca532e112077721b95a94a38068773ec4d9d9d1371bca09899ce199089a9d2e47bc090135150bf7200e443e6def0bb1854fcf82ea0251aef0463 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 60e5850a306c83db8d8d68cbca677b39 |
| SHA1 | bd6fb96034507d3543c2ec79c3306b2acac7aebd |
| SHA256 | dd315234390d41354879acd1ad72618992de14629c4470161bc9aed23ec60282 |
| SHA512 | 3cc4b558208a16b6744aed49bf66385d4cf5707099e63d08f93d48f4068627988b60c05f310e61a3af0a8453beb48ef163c2d0702f90c88c8550e1f6dd8f2ca3 |
\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | 649a3c76b404839c777302b9f5db1cdc |
| SHA1 | 97cf0a4ce0e23c91c0a19e69d514e1d683871c1b |
| SHA256 | 91024882dfbd523dfccbc21b341358bad0db3c2eadbc42b91bb85a9424695302 |
| SHA512 | e349f05c4b5f8326d873f1aff833dfc576cd425de8b82252afba69dd8ef189e01eeefc5e886fd8f00b1b6ad73059d6285d7e5440cb825711d60beb411296fb73 |
C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | 09a54db9fd1725815d24dd040695182c |
| SHA1 | 12381af69bd7041e77771ba8b669b70f47b0d87b |
| SHA256 | 1e3ac30cd0095e63dfcb181c8d879f449cc6430e55276e89c772ef024d4d29cb |
| SHA512 | 18f7ee0c17ad26531ec7a579f744b07f3f2357b77377f7f0710ee38709f0394d0278234a6a8c69428c2e4e040f9c3d17995236cd8a4205af60b4e60704bf6dae |
\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | 4c65372e6923c620d557d3b25afbb8d1 |
| SHA1 | 0966884ed3221ceb4364e0a96a9c2062bda3c56d |
| SHA256 | 05ed6b6be3bf9eefaebe0facaf2047ab2c6a31f009c61305d909d77cbed43516 |
| SHA512 | 9b99c99a7019ded692b6d17cecfaea0e45009b64f6adc281beda22b67704b5f0170067807d8d131c5cd9192bb0d313eef8c61ce219edeb23540402a73255a152 |
\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | 2f516c4ba090712e3c957ecb9a2ce358 |
| SHA1 | 023ba895b5055c9ce0e15b93022cacac88b64f29 |
| SHA256 | 28b89bb865b3593bc179b7b0d150dd5743d931ef5ba951f803405ee192ae9518 |
| SHA512 | 02e1adb68f8c604bc37133718cb8e61fe9ffb5e4f2e4224d8734d49213d118508f2f9ee47ed67aea8e88d83e2c943dd9cc55772faac51a5c192f64f847b23bef |
C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | aae90e09af8e064999e0545c3e233928 |
| SHA1 | 4d9da192d20cc4817832199c0cc5fe8db7ad5a56 |
| SHA256 | 21f01e500de17542168aba8f6a41711481c434bdd3567d70d87fdcc4c0f3241b |
| SHA512 | 14b34f0277ccf68155d9b5f5f23f7bc4f34241b96f21dfe25412cd3ed3e23f3e2b248af6ab551bc6645bc9e208f7938885f634cbe6421106134100fb90e88a43 |
C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\libzip.dll
| MD5 | 81d6f0a42171755753e3bc9b48f43c30 |
| SHA1 | b766d96e38e151a6a51d72e753fb92687e8f9d03 |
| SHA256 | e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723 |
| SHA512 | 461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1 |
memory/2232-40-0x0000000061880000-0x00000000618B7000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\zlib1.dll
| MD5 | c7d4d685a0af2a09cbc21cb474358595 |
| SHA1 | b784599c82bb90d5267fd70aaa42acc0c614b5d2 |
| SHA256 | e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc |
| SHA512 | fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b |
C:\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | 1398bea075b8b0a6f77fc685ac62030e |
| SHA1 | 986c8b78ab44cfd5213ec8335d10b99398511c2f |
| SHA256 | 09358432675d42eb77b0684679ef6848b5c3b404f24d75ec7d34706ad35b3514 |
| SHA512 | 8eae0131c0390d59190c8f7b25c4e94d9ad155e05fbc7e5b146c058356413f767978875c70693dd219ece2d869314e81cac94f2dc97389a1af298719e0505043 |
\Users\Admin\AppData\Local\Temp\7zS8D86F8B6\setup_install.exe
| MD5 | 3a811b1ec64b2e40aa0e0c13d3811afa |
| SHA1 | b2c2c797477db495e059f17def6f6023276f6e84 |
| SHA256 | e626d50589c384d019c47cef88421055589b5a90ee54f0029a22cebf35f1ddac |
| SHA512 | 6a1dbea4ea48b3871c2211f62f87ed194488221d29f3b93f9a4b7fcbb90587e541c0ccdf2011f3d0244e5c7b4f239f628a4447ace1629a7a7037347270b52224 |
memory/2232-49-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/2232-48-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/2232-51-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2232-47-0x0000000000400000-0x00000000007F0000-memory.dmp
memory/2232-52-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/2232-54-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2232-53-0x0000000061B80000-0x0000000061B98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | 6dbfa47852aea91ca1b425a84bb6bd94 |
| SHA1 | 1a9da6f3e438aae201f511e16a16bc9b5821781b |
| SHA256 | 57b610ea0a86a884d3fa18360231717352cd39d744137b47e162153ff736ddfc |
| SHA512 | a842b2e210a71119b82150be6cf5f517419dcd528342c4ea0a52411707066f6c45aabe292d8c5d8a52efe57b78a812402a72792bd8f193f8c713bf7b79b07e6d |
memory/2232-59-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2232-60-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/2232-61-0x0000000061B80000-0x0000000061B98000-memory.dmp
memory/2232-62-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2232-58-0x0000000000400000-0x00000000007F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | d17a1e7da8aabca9f84a28ce089693a6 |
| SHA1 | 75ea7efa9ddd16bd59f1c5613465d4400d65d2e8 |
| SHA256 | 2cc706df44d700762e7b0c7edac152a9325697e2aac7b75f8dd1b42af81eef0c |
| SHA512 | 261f13e977ce2f56d3b40fbc83de9cca5033a726b1b3dff5fc2c9abf8cf5aa964a9b4d7eeca6f59219226b46446b013a44803b8d38bb0e446bab17d702b08bde |
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | 1f30923895a7f4cb76e8a1c2605153dc |
| SHA1 | d6f29ec090a26854f15831e442d198c6b487d38f |
| SHA256 | 62d6d3b216bd58ee0c5da0219354e5f517367fa9edc3f9ad198fc46856f425e0 |
| SHA512 | d7a37b602d7636bcdb6cae8dbc5aee6d2d2a5edcfb856b3c886392493696c49a48e7d092614b6021f4b138677bbb98b52e9def030e3af7144655b4760322de24 |
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | 292aa755e05ab5abf57f1d6e0e71aa34 |
| SHA1 | 5f6ac09f36371851d5a3f85f2f1c9c5f535b7966 |
| SHA256 | a5cb2e26afa1da7f1b541bd04c092238d92352c741c48d3fe0c3a79e2615bf95 |
| SHA512 | d0c5aea8c3da68322a9d35c1ec7fb0ea98196787e03b2947a00af0762da75df4d25599a09ae7378868607a5b71e094ad349eac8a447ea74e24378bcb8aedf1ac |
\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | 02413b655b11a6b829097acdc8944926 |
| SHA1 | 875f656c59eabec1393c5451f40caac2c249a8d8 |
| SHA256 | cd87cb4df570b841d4cac29284b38542d7bdd478c4ed7975c088782fdafc028b |
| SHA512 | 490f7e0a847ff887c6d39e86031399cddfc54f5f64d9bc3b9caab5b3c541654d6ee0ee0ce288dcb6c920df578753e1f3772a0bfbe2e7611170f5338da4818c41 |
\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | 3268c701dd22c6e40dec9d5efebaeb69 |
| SHA1 | 62896527d8738fef8672c7eca65b597fcdccc2da |
| SHA256 | 491435414def768691048aaf738abeac0f976bcb954fc7057b37914b089c1b68 |
| SHA512 | 885d96c88edc612d85447c914b6e616cd768926aebc0e3a7268917e32d68bf1f80befd01fe21be426f56608412bc1fb4a780189d394f4db2dd9f7071e7a109e1 |
\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | 325c121385d6c456f8a806b598ce5f06 |
| SHA1 | 960d9d40bfd606f52483d917a6fb86bd00edd5e6 |
| SHA256 | a7d937d862f5673b1d31ce3f4695c873cf62518a613b7891698502d9edaa9ee2 |
| SHA512 | 8e905131b3a809221d40f9338e6beb64869ef106eda657ba70059f5cdb31bea371234724bebb0d34ef5c091b8a867587d8dd3e2b8584d8501eba72f6e4811b22 |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | 3c1c54dfef61c98285442b1339c7f0b6 |
| SHA1 | ca29b94195aadb3512fe647991382bc5875be547 |
| SHA256 | 01346c35cce21a603750e9da5c4d4671af061f45e6212ffba2655d006630a81c |
| SHA512 | 06fa57a7dc6174d1c051152e49a3c30a3f471abd174c697aacfc9d942e44fc40ac5182300263dc9ad56168fd2e0c12eab1d3e194de97d85b242d84eb77d2ecba |
\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | c16b8d9e1ada81ad2b98cd37d0659f69 |
| SHA1 | e6b24c4c4f77c06042e369ee1fadd353ab2ef84b |
| SHA256 | 5e3ad58937b44b439754113efb6f91bffbc51a257a7d86768f3db905af8c8dd3 |
| SHA512 | 67d18112b6140959d29a74e262bc5ac29659c4700ca280ff8185f86cd1469d6bea4f55c946f976c2321d4326fecbb91a1cfc242e789823ff8866d9e034ed0e7f |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurlpp.dll
| MD5 | 47dea1984cebcbd7490a0e76a1e763fd |
| SHA1 | 6ee79868a6a8d04d8f0dfe013f97e368f1652f9e |
| SHA256 | d858073760e07d8e417e8e1e4ce293ddd840f1c8d499339ed7be6e9e147b2a09 |
| SHA512 | 69a0ba5dbd69db8359ad26e051d3512429f79a51d4324b991d04970ba62f797a0e5995c03b8f823c1e12aed260d432f0278196c63649a54ef3591bea3a7ec202 |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurl.dll
| MD5 | bdbfbec2bc57aacc08d2a0464c4ece17 |
| SHA1 | ce5cc18c538375a835e718d60b8332ce97f4656d |
| SHA256 | 401bc585c547633716284af6ce8729edcce0cd21c6f0980a9ff6808458ed24d9 |
| SHA512 | a9ffb5a22502541a367ec672f61b7b0c70c889ab4774250b272ffb6c8cb166aeb993943b5d0d1b13d4d54192daf14786f9e34b1a8c23ce791df6ceff5bc592df |
\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS863504F6\libgcc_s_dw2-1.dll
| MD5 | 59c7584dbcbe186106d0470825d1101c |
| SHA1 | 2fcc4962c78a13bbdd1e918b35dfcdf1038e1cb3 |
| SHA256 | 04160391a0d3c04af8d5b51ac435f0abaf06dfea32874e079488599197e8d7be |
| SHA512 | 93998bd4d44d899632ff3b166b6fc858f03b71c1c60384568381a592790092e3e1b35911925d3ffd10ee7da9f7b3fa2b8b0370e649325e14c81f85b3fdf11805 |
memory/1020-116-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libstdc++-6.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\libgcc_s_dw2-1.dll
| MD5 | 4cbe6faf53b6ad9c5784e794080c948e |
| SHA1 | 8fe51b03c7deb52add43ec9afd0d7615bf39516f |
| SHA256 | a822846684a82cbee25039136b09d46452c8dd20faa16507ff37a1960e9ee415 |
| SHA512 | 5d8b5bd6e83c0ecf1d27ca221d9e4752e7a33c468ea0abd72a6ca789e9d3a0b0545fc2ec901c1ce66c696a151a46fe96fe9f16bb6e404e59b2951b774c37531e |
memory/1020-124-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | 87352d37445ee863568b049ae9b8dcff |
| SHA1 | 635c0c9adec1f3fdb0993641a20900d064ad6293 |
| SHA256 | 843b12756b6a8de40b0772d06ed8ac4a6468818f779b205842800993721ad4d7 |
| SHA512 | 846619e472417df347eea7650e6f9f2aafd5b92a7ff0ed2f365ba6aad022f8aff7d8308d586c76435d3a631454dde456e585e612f4a629930543315b2d718bfc |
memory/1020-125-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1020-127-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1020-126-0x0000000064940000-0x0000000064959000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | d23c15cf874b78323b80378d5648b702 |
| SHA1 | 24b1ca6660c9fd96ecd24c177782f9ca0c992cc2 |
| SHA256 | 97406c0cfe432d75437e8579ef022e04e86b486099e1e0efaaec5ef0460cde97 |
| SHA512 | 24caf43115d25ee8a18ea1196c2ff4b91ecb515f40a06dae3f57756529747c779bae411b8b86e8f5c4d99c3b85457319fbc66abd6f6ee433f2703527993dea27 |
memory/1020-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1020-130-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1020-131-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1020-129-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | 8ab13b03e7b98e86240e44e735e655da |
| SHA1 | 359604e0c20f9136a7ff226de970af3b6c372786 |
| SHA256 | fcd62624e433cab2f70d608e8b4923af4c077e9ea7f66bc90eeb3f6ab127ebdb |
| SHA512 | 04095d403c556f4e1740926f6eb9ba9263bf7425505f56479e811ba9258998e238857f2dc778af949e272a386e08ee87f67af4bb66eee0b280e28c46663f0103 |
\Users\Admin\AppData\Local\Temp\7zS863504F6\libstdc++-6.dll
| MD5 | 54951b8f577ad139d42643df3432c642 |
| SHA1 | e465aee6a09e1f1533e5bd93957cff24f7703ee8 |
| SHA256 | f250c7c8e2605c3fcac44cf461abbf755fbbd002a0c628a48ff592fd923481e2 |
| SHA512 | 84979c66d84cc93076d48b175123d51e5947caa4d26ec96cab8a139295f32922eb75733dd680478d67ebd12c072a87941982a0fa39c711a5021c8cc071f21691 |
memory/1020-120-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/1020-113-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1020-133-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1020-132-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe
| MD5 | 03c2f9b0e8fafa157b1887270fe95835 |
| SHA1 | f7acaf58ef168e5a1026235a68d3d2d94e11f24f |
| SHA256 | f3f46b09ffe56f971e0b393e237fcb8fb5297cecccf9ad062be0b1cbdf0b3e11 |
| SHA512 | 5516c90cbd1e9a3e54378bcbfd8c3e162c1e6c4905259f66ae5c3e4ad4678fdcf58a772f6776e89827fa73538620787154b8dbd4e4950b81feed63eb92b9bfcf |
\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun211972de1e.exe
| MD5 | 6a74bd82aebb649898a4286409371cc2 |
| SHA1 | be1ba3f918438d643da499c25bfb5bdeb77dd2e2 |
| SHA256 | f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a |
| SHA512 | 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707 |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21ab69e87d0.exe
| MD5 | 7b9b0197f1ed02fd7830a7e588a1c7a4 |
| SHA1 | 732474ad1ee1a9c533d18f02e8dec4e1256a74e1 |
| SHA256 | 376c4d62f6922dfcfb27c519f56d39ffbffbb82666cb2e4c96578aa1e6321523 |
| SHA512 | dca1df9a2af2a9ebcc5bbfb75d2b4881d41f22ff928131a6079ba986b1d3fe289c2850e96478221140789a82a8006239a7a13d782148d89cd843da97361bdeb7 |
memory/2284-156-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2284-155-0x0000000001F30000-0x0000000002030000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe
| MD5 | 00231d0a42cfd229467e7fa194362e18 |
| SHA1 | ed2f41c5155145265040e70914a764559a0b4132 |
| SHA256 | 57ce8165d1373365ebb5ddf30bad2ab568b9c0cba6a47fdcbb6a276eccc80035 |
| SHA512 | 2acb2b9c2e2916abe2c03f312ba32d7a4856be98635c6be4c55952bd7be59160c9561293c9151679af0e98303628f8fc1dd1913f8e2c9b240d1f40c5184e523d |
memory/2460-161-0x0000000000260000-0x0000000000268000-memory.dmp
memory/3040-163-0x0000000000990000-0x00000000009BE000-memory.dmp
memory/2284-164-0x0000000000400000-0x0000000001D81000-memory.dmp
memory/2432-159-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2432-167-0x0000000000400000-0x000000000046D000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21cfc7686a.exe
| MD5 | 57506c6106f4c4e9b795d68f247a7bf0 |
| SHA1 | 937d9694d68082c8d12fc0d31965514c881e2eab |
| SHA256 | 11577fc5b67317c24be99806ce1d5a41b5eac4dc96d1eb23983e1bbea2d003e4 |
| SHA512 | bbc0ad52ca09ecf4d4bc23ed68b1d02a6b47771ff7f6a4fa2a62e6ce4301385d0771f3fb4a9cd8330bbf712b3d41b14f1f1608aed45a12a2850239ee897b1636 |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun213b31a7e71d4cf6d.exe
| MD5 | abea1f518f0b3957a1755eae02698ca3 |
| SHA1 | b3130e09832595c47cfb06a883388fabdd5bc488 |
| SHA256 | 1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d |
| SHA512 | ee7dd52b1941e64d08eb036839fde49975246c4564aaae577252f988586bf52c1ac59de81ea28cedeb06b723a9317ad1c60fa1ba4c42b7dae6e0cea8405ddfc5 |
memory/3040-177-0x00000000004D0000-0x00000000004F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21688b2b2b63.exe
| MD5 | b7b57d1b09e9e10cf2d6871bc2556b7b |
| SHA1 | b021d7f2b0b4be5444bf1765693952812c0aa698 |
| SHA256 | b747158d6d60ae7cae3a48166cb859f5784c4309c56399a8ef96afdc0eac51fb |
| SHA512 | dabec9ee3af5c1125f77b2e589a071cf56359b4fcae086ce6ff96ebec66c0e2d727effae89c123a7e41a586f59e6079cbe88cda138724cefcec0cfc120d4d130 |
memory/1944-180-0x00000000002E0000-0x000000000037D000-memory.dmp
memory/1944-179-0x0000000001E80000-0x0000000001F80000-memory.dmp
memory/3040-178-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/1944-181-0x0000000000400000-0x0000000001DDD000-memory.dmp
memory/2460-182-0x000000001B240000-0x000000001B2C0000-memory.dmp
memory/2460-183-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21dd3b887a3.exe
| MD5 | 4ccf258907da9de70654700637f0fb0e |
| SHA1 | c4a11495395682335ca47231933e0e905570fc81 |
| SHA256 | 5c958ed7d29299926d999259dd7f1fa1d1be0327f5863a9f2d55ad3e18d2962c |
| SHA512 | dd39a1325631402913cc96bc7d52c5dc37e76d22ecbf0439a6631bee7a31ea02d168d221674edf23af10ceea68c2cea9796e4772a855637b7c92d42fed88d1ea |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\Sun21caad43cbccfb.exe
| MD5 | 35ff3d256c2187bcbdefe0ba950b88a9 |
| SHA1 | 008ec2462e77bba503b07ce1c4ba0cee11453951 |
| SHA256 | 08270af17f9250454cd6a664c2f12b620d63056e5f256ce77ca8b80b080a4be3 |
| SHA512 | defa6d581540187658c06dcc26fa4e82a4059e9af6d55ce8ba240a06fd0b9a0c06b52acea99a775c2b786e1afcfaab65ee18a7e44ab2a80c9292dac2576404b6 |
memory/2352-184-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/3040-185-0x0000000002140000-0x00000000021C0000-memory.dmp
memory/2352-186-0x0000000001ED0000-0x0000000001F10000-memory.dmp
memory/1020-134-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | 248eba82159ad2e2d2e6a578d59dfc46 |
| SHA1 | 75d691a1d2953e4c8dc5edbcfe540c7e330ac291 |
| SHA256 | 82096b9435eace564e4814e293b6a02f33140742c92e963c6a063900bf50f6bf |
| SHA512 | d847a6b0099f74f5722df163d988cf00de384e053208873a58eabc161fe60d9ebb4c8d6eb0fbfe7711ddc4d0f249812c8d4978055ab5fa4fec7c78b522967544 |
C:\Users\Admin\AppData\Local\Temp\7zS863504F6\setup_install.exe
| MD5 | f33fc9240535b5b7d01d3eac2a8fc8f3 |
| SHA1 | 76fad1a309a4165fdae5ae120d8cabbe280c4d8c |
| SHA256 | 4e85338cd1cf6a4dbc0704f278e84090f27aea53e3f7d775ee341ef7d6b12071 |
| SHA512 | c83fafc54286a08024fcf7155265cd8fd9bb13f4fc25f3d38cdc19820061a0bb61098523f66ebf99b84a3d19ec152a3e21ba62e82e556be7b565e8f3711eced9 |
memory/1224-194-0x0000000002A40000-0x0000000002A55000-memory.dmp
memory/2284-195-0x0000000000400000-0x0000000001D81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2C1.tmp
| MD5 | 050ec2eee0771f1c7a792655e491fa02 |
| SHA1 | fc91e4f6a1a9b8a74f55df010afdb826bc42e159 |
| SHA256 | 964aecc9b2bde50305d7b77d5049553d2f5b69f112d034b090c7d3cf1ccc794b |
| SHA512 | b86a6abdf902ecc4048fe89ab43d8651bfa6262dd9086a8fc118aab7797d3402cc6c8578b4742f65a96b0bff1f0ee0f0c9f90748288e3964719ccc1d62b5307f |
memory/2284-200-0x0000000000240000-0x0000000000249000-memory.dmp
memory/1020-209-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1020-210-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1020-214-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1020-213-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1020-212-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1020-211-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1220-220-0x0000000000400000-0x0000000000516000-memory.dmp
memory/2432-227-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar128C.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/1944-218-0x0000000000400000-0x0000000001DDD000-memory.dmp
memory/2352-251-0x0000000073B30000-0x00000000740DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45D6.exe
| MD5 | 0c819dd27a128d9234daa3d772fb8c20 |
| SHA1 | d5d36492818872da8e70dc28cc85389b8e0f3819 |
| SHA256 | ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2 |
| SHA512 | f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7 |
memory/2120-326-0x0000000000010000-0x000000000006D000-memory.dmp
memory/2120-327-0x0000000000290000-0x00000000002F6000-memory.dmp
memory/3040-329-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2120-328-0x0000000000290000-0x00000000002F6000-memory.dmp
memory/2120-336-0x0000000077C30000-0x0000000077C31000-memory.dmp
memory/2120-335-0x0000000000320000-0x000000000032D000-memory.dmp
memory/2120-334-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2120-333-0x0000000000290000-0x00000000002F6000-memory.dmp
memory/2120-332-0x0000000001EB0000-0x0000000001EBC000-memory.dmp
memory/2120-331-0x0000000000520000-0x0000000000521000-memory.dmp
memory/2460-338-0x000000001B240000-0x000000001B2C0000-memory.dmp
memory/1944-337-0x0000000001E80000-0x0000000001F80000-memory.dmp
memory/2820-340-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-339-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-342-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-341-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-345-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-347-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-352-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-354-0x00000000001C0000-0x0000000000284000-memory.dmp
memory/2120-353-0x0000000000290000-0x00000000002F6000-memory.dmp
memory/2820-350-0x00000000001C0000-0x0000000000284000-memory.dmp
memory/2120-349-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2820-346-0x00000000001C0000-0x0000000000284000-memory.dmp
memory/3040-344-0x0000000002140000-0x00000000021C0000-memory.dmp
memory/2820-355-0x00000000000E0000-0x00000000000E6000-memory.dmp
memory/2460-343-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2820-356-0x00000000002B0000-0x00000000002BC000-memory.dmp
memory/2820-357-0x00000000001C0000-0x0000000000284000-memory.dmp
memory/2820-358-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-359-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/3040-360-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2820-361-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-362-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/1224-369-0x000000013F650000-0x000000013FD15000-memory.dmp
memory/892-368-0x000000013F650000-0x000000013FD15000-memory.dmp
memory/1224-367-0x000000013F650000-0x000000013FD15000-memory.dmp
memory/1264-371-0x0000000000890000-0x0000000000954000-memory.dmp
memory/2820-372-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2820-370-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/872-373-0x0000000002CB0000-0x0000000002D74000-memory.dmp
memory/1224-374-0x0000000077A91000-0x0000000077A92000-memory.dmp
memory/872-375-0x0000000002CB0000-0x0000000002D74000-memory.dmp
memory/1224-388-0x0000000002A00000-0x0000000002A06000-memory.dmp
memory/1180-392-0x0000000077A91000-0x0000000077A92000-memory.dmp
memory/2820-396-0x0000000077C20000-0x0000000077DA1000-memory.dmp
memory/2188-397-0x0000000077A40000-0x0000000077BE9000-memory.dmp
memory/636-399-0x0000000077C4D000-0x0000000077C4E000-memory.dmp
memory/2460-401-0x0000000077A40000-0x0000000077BE9000-memory.dmp
memory/636-400-0x00000000031C0000-0x0000000003284000-memory.dmp
memory/2820-398-0x00000000001C0000-0x0000000000284000-memory.dmp
memory/1716-402-0x0000000077A91000-0x0000000077A92000-memory.dmp
memory/2820-409-0x00000000000E0000-0x00000000000E6000-memory.dmp
memory/2476-412-0x0000000000210000-0x000000000021C000-memory.dmp
memory/2476-411-0x0000000000E30000-0x0000000000EF4000-memory.dmp
memory/2252-410-0x0000000077A91000-0x0000000077A92000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 12:53
Reported
2023-12-31 22:15
Platform
win10v2004-20231215-en
Max time kernel
126s
Max time network
170s
Command Line
Signatures
BetaBot
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Gozi
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NullMixer
PrivateLoader
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VMWare services registry key.
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uq5qcoy755.exe | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uq5qcoy755.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "tdlsxhrbz.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\97A3.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\uq5qcoy755.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\uq5qcoy755.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\uq5qcoy755.exe\"" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| N/A | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8B9C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\ProgramData\Java Updater\uq5qcoy755.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe
"C:\Users\Admin\AppData\Local\Temp\1923715e6214c54be40797c3d821fbfc.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun211972de1e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21cfc7686a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21caad43cbccfb.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21688b2b2b63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21ab69e87d0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun213b31a7e71d4cf6d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21dd3b887a3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun218856081dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe
Sun213b31a7e71d4cf6d.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21caad43cbccfb.exe
Sun21caad43cbccfb.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
Sun21688b2b2b63.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe
Sun21cfc7686a.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe
Sun21ab69e87d0.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe
Sun218856081dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe
Sun211972de1e.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2804 -ip 2804
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe
Sun21dd3b887a3.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\is-8ATSR.tmp\Sun218856081dd1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8ATSR.tmp\Sun218856081dd1.tmp" /SL5="$17004C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1080
C:\Users\Admin\AppData\Local\Temp\8B9C.exe
C:\Users\Admin\AppData\Local\Temp\8B9C.exe
C:\Users\Admin\AppData\Local\Temp\97A3.exe
C:\Users\Admin\AppData\Local\Temp\97A3.exe
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1520
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2144 -ip 2144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 9772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4576 -ip 4576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1136
C:\ProgramData\Java Updater\uq5qcoy755.exe
/prstb
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1604
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2612 -ip 2612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1984 -ip 1984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1128
C:\ProgramData\Java Updater\uq5qcoy755.exe
/prstb
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3288 -ip 3288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1080
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| N/A | 127.0.0.1:53902 | tcp | |
| N/A | 127.0.0.1:53904 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | theonlinesportsgroup.net | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | remotepc3.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | the-flash-man.com | udp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
| US | 8.8.8.8:53 | 229.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | varmisende.com | udp |
| US | 104.21.71.125:80 | varmisende.com | tcp |
| US | 8.8.8.8:53 | 125.71.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| NL | 212.193.30.115:80 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 25f9b6f64d4c687c6f5c5003a1ce815c |
| SHA1 | 76acfabdea71c81c7e79fa685b3d71a0299f6fdb |
| SHA256 | 6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c |
| SHA512 | 5822d82c41da4bc25a06c140d95cc08a0c9fb79717356d8b562ede85c9f7969aa67a02fd8b55a450e8e4e1c5852032ee057a42062ee37d79a34c5adb7abb4732 |
C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\setup_install.exe
| MD5 | b5491eb6f1b1189534db9aa4c4534915 |
| SHA1 | 19799e326bded5eb3674c3bdc2e55580c537fe38 |
| SHA256 | 758f3cefec9a059f0933e897bc0c628fe2b7b56f670e95093225b706d18b928a |
| SHA512 | e54fe8ce83d5510ff0d45a567252d879eb9b11cfa956c7957d4a3ec8937594a001021d159e88cdf875c56f8fb839e70704c5649ecbc2f3ce8938685fcb436663 |
C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\libzip.dll
| MD5 | 81d6f0a42171755753e3bc9b48f43c30 |
| SHA1 | b766d96e38e151a6a51d72e753fb92687e8f9d03 |
| SHA256 | e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723 |
| SHA512 | 461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1 |
memory/4968-38-0x0000000061880000-0x00000000618B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0C7CCA98\zlib1.dll
| MD5 | c7d4d685a0af2a09cbc21cb474358595 |
| SHA1 | b784599c82bb90d5267fd70aaa42acc0c614b5d2 |
| SHA256 | e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc |
| SHA512 | fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b |
memory/4968-41-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4968-40-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/4968-42-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/4968-47-0x0000000000400000-0x00000000007F0000-memory.dmp
memory/4968-48-0x0000000061880000-0x00000000618B7000-memory.dmp
memory/4968-50-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4968-51-0x0000000061B80000-0x0000000061B98000-memory.dmp
memory/4968-49-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\83904ea3382de84ea.exe
| MD5 | e69948a6953a77464e92ac44fe945242 |
| SHA1 | d0b1569b0ca632defc74a6320658c0c1481f3ee1 |
| SHA256 | aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e |
| SHA512 | f14f8a41c2e5dad21908eae3494cc1db049e223b19186379256695825b9918813e4cd34d73f43eba36fdfbfff6608d50bf2b98dbd45f17c4b3136bc6087c2952 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\setup_install.exe
| MD5 | 3303b0c75753ea25cf206b81ad24816b |
| SHA1 | 12a6265214cf693af00d14c3b720731abd20fd1e |
| SHA256 | 4c1704c1b7f10a459017319b867377a68d67e194c692d46baa5d1fb233b50c59 |
| SHA512 | 97677fb7704d360e5e042c36bc8fb9bcfdbb93b3e966a20a4370ebd5c7527589f7ff4937fb75aaf9744e01a3db12000f0ba6e2027b673cb6538a986e6ed2a18f |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2804-96-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2804-101-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2804-105-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2804-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-106-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-107-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-108-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-110-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-111-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-112-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-113-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2804-114-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21cfc7686a.exe
| MD5 | 57506c6106f4c4e9b795d68f247a7bf0 |
| SHA1 | 937d9694d68082c8d12fc0d31965514c881e2eab |
| SHA256 | 11577fc5b67317c24be99806ce1d5a41b5eac4dc96d1eb23983e1bbea2d003e4 |
| SHA512 | bbc0ad52ca09ecf4d4bc23ed68b1d02a6b47771ff7f6a4fa2a62e6ce4301385d0771f3fb4a9cd8330bbf712b3d41b14f1f1608aed45a12a2850239ee897b1636 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21caad43cbccfb.exe
| MD5 | e113dae909b8fe86578d8558326d626b |
| SHA1 | 28d21842fce5df5dee1704eb4c28388c44860a53 |
| SHA256 | 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11 |
| SHA512 | d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun218856081dd1.exe
| MD5 | 8887a710e57cf4b3fe841116e9a0dfdd |
| SHA1 | 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4 |
| SHA256 | e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4 |
| SHA512 | 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21688b2b2b63.exe
| MD5 | 7b1e08adae5f1373c4b845a09982d0a3 |
| SHA1 | 4838a531872de3ed82dc9e191c9a582fb5ea530c |
| SHA256 | e651a40b14c10f0c8ba9c4fb3cd648a04cad7f226e4a0a25664135e0ce5f4b52 |
| SHA512 | 7d6e51eddccfa039ea5dbaffb19ed211a50dd86dece6f588d2466f35a00107be9fa137f7d795627799def8c399aaaac5670d9f2ae2fc7e601cb186e4f9e73641 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21dd3b887a3.exe
| MD5 | b0f998e526aa724a696ccb2a75ff4f59 |
| SHA1 | c1aa720cc06c07acc8141fab84cdb8f9566c0994 |
| SHA256 | 05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898 |
| SHA512 | ea7388083b8f4ef886d04d79a862ad1d6f9ecb94af1267a9ae0932dbc10ef1046b8e235972eab2a4741df52981094a81329f107e6e44adebdf9e95d7c778d55b |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun213b31a7e71d4cf6d.exe
| MD5 | abea1f518f0b3957a1755eae02698ca3 |
| SHA1 | b3130e09832595c47cfb06a883388fabdd5bc488 |
| SHA256 | 1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d |
| SHA512 | ee7dd52b1941e64d08eb036839fde49975246c4564aaae577252f988586bf52c1ac59de81ea28cedeb06b723a9317ad1c60fa1ba4c42b7dae6e0cea8405ddfc5 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun21ab69e87d0.exe
| MD5 | 7b9b0197f1ed02fd7830a7e588a1c7a4 |
| SHA1 | 732474ad1ee1a9c533d18f02e8dec4e1256a74e1 |
| SHA256 | 376c4d62f6922dfcfb27c519f56d39ffbffbb82666cb2e4c96578aa1e6321523 |
| SHA512 | dca1df9a2af2a9ebcc5bbfb75d2b4881d41f22ff928131a6079ba986b1d3fe289c2850e96478221140789a82a8006239a7a13d782148d89cd843da97361bdeb7 |
C:\Users\Admin\AppData\Local\Temp\7zS041BB8A8\Sun211972de1e.exe
| MD5 | 6a74bd82aebb649898a4286409371cc2 |
| SHA1 | be1ba3f918438d643da499c25bfb5bdeb77dd2e2 |
| SHA256 | f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a |
| SHA512 | 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707 |
memory/2544-134-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8ATSR.tmp\Sun218856081dd1.tmp
| MD5 | 090544331456bfb5de954f30519826f0 |
| SHA1 | 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4 |
| SHA256 | b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047 |
| SHA512 | 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d |
memory/2328-140-0x0000000000820000-0x0000000000828000-memory.dmp
memory/2228-141-0x0000000000320000-0x000000000034E000-memory.dmp
memory/2228-142-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp
memory/2804-143-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2228-145-0x00000000023A0000-0x00000000023C0000-memory.dmp
memory/2804-146-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2804-144-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-148-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2804-147-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2804-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2328-150-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp
memory/2328-151-0x000000001B370000-0x000000001B380000-memory.dmp
memory/2228-152-0x000000001B200000-0x000000001B210000-memory.dmp
memory/2544-153-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3204-154-0x0000000002160000-0x0000000002161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9BJMR.tmp\idp.dll
| MD5 | 783f37500b6f7b5e06d6852c5dc213d3 |
| SHA1 | ea197e6074b5e0a322f10f5dc348e7706732110a |
| SHA256 | 17260213d3fcdeeb32e9e5e6349d9e305db0f39f2b81ccf06cb5eae304e9489c |
| SHA512 | 28d08d714533cab41d6579b55d2e9c2d7767c4edf6721fd39a21bfe7c5e4bd592e2df32a0a99951b3b6be23a820ba92c712db211531f976de0c89a95b1f94ebf |
memory/1608-164-0x0000000002010000-0x0000000002110000-memory.dmp
memory/1608-165-0x0000000001EA0000-0x0000000001EA9000-memory.dmp
memory/2756-166-0x0000000002080000-0x0000000002180000-memory.dmp
memory/2756-167-0x0000000001F90000-0x000000000202D000-memory.dmp
memory/1608-168-0x0000000000400000-0x0000000001D81000-memory.dmp
memory/2756-172-0x0000000000400000-0x0000000001DDD000-memory.dmp
memory/3204-173-0x0000000000400000-0x0000000000516000-memory.dmp
memory/3204-175-0x0000000000400000-0x0000000000516000-memory.dmp
memory/2544-176-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1952-177-0x0000000073190000-0x0000000073940000-memory.dmp
memory/2228-178-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp
memory/3488-179-0x0000000002FE0000-0x0000000002FF5000-memory.dmp
memory/2804-183-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2804-184-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-185-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2804-186-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2804-187-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1608-182-0x0000000000400000-0x0000000001D81000-memory.dmp
memory/1608-189-0x0000000001EA0000-0x0000000001EA9000-memory.dmp
memory/2804-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-190-0x0000000000400000-0x0000000001DDD000-memory.dmp
memory/2328-191-0x00007FFAFCB80000-0x00007FFAFD641000-memory.dmp
memory/2328-192-0x000000001B370000-0x000000001B380000-memory.dmp
memory/1952-193-0x00000000049E0000-0x00000000049F0000-memory.dmp
memory/1952-194-0x00000000048A0000-0x00000000048D6000-memory.dmp
memory/2756-199-0x0000000002080000-0x0000000002180000-memory.dmp
memory/2756-200-0x0000000001F90000-0x000000000202D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8B9C.exe
| MD5 | 0c819dd27a128d9234daa3d772fb8c20 |
| SHA1 | d5d36492818872da8e70dc28cc85389b8e0f3819 |
| SHA256 | ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2 |
| SHA512 | f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7 |
memory/4628-204-0x0000000000010000-0x000000000006D000-memory.dmp
memory/1952-206-0x00000000049E0000-0x00000000049F0000-memory.dmp
memory/4628-207-0x0000000000900000-0x0000000000966000-memory.dmp
memory/4628-208-0x00000000005E0000-0x00000000005ED000-memory.dmp
memory/4628-211-0x0000000000900000-0x0000000000966000-memory.dmp
memory/1952-213-0x0000000073190000-0x0000000073940000-memory.dmp
memory/4628-214-0x0000000077DB4000-0x0000000077DB5000-memory.dmp
memory/4628-215-0x00000000026C0000-0x00000000026C1000-memory.dmp
memory/4628-216-0x00000000026F0000-0x00000000026FC000-memory.dmp
memory/4628-217-0x0000000000900000-0x0000000000966000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\97A3.exe
| MD5 | 6c764b44fa70a6278585d73aa9628e92 |
| SHA1 | 164cb720560831360e3387b49ce30661af5e00db |
| SHA256 | 70855a2ce47a41d098654191f371425f5cbe5ef427808672c8e9adbde9b921d8 |
| SHA512 | a9ce70f566a020759e1bc37f9bf704f88443fbb0b6a552e62ca4db0fee1c80caebec98bdaf037cd8eed89fe70646040335bb6ad36d38dacbdbe62c0f4a00fead |
memory/1796-222-0x00007FF72F9A0000-0x00007FF730065000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
| MD5 | 0badb0e573d95db49ac23c11163d9386 |
| SHA1 | d86dd20e4498ba5576272df07cd71dd9ed40bf8d |
| SHA256 | 5ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668 |
| SHA512 | a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8 |
memory/1796-229-0x00007FF72F9A0000-0x00007FF730065000-memory.dmp
memory/1952-230-0x0000000005020000-0x0000000005648000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshA0FA.tmp\System.dll
| MD5 | dd87a973e01c5d9f8e0fcc81a0af7c7a |
| SHA1 | c9206ced48d1e5bc648b1d0f54cccc18bf643a14 |
| SHA256 | 7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1 |
| SHA512 | 4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f |
C:\Users\Admin\AppData\Local\Temp\lib.dll
| MD5 | bc94fe5f3a7d234dceefa5a25c109358 |
| SHA1 | eefd19123cb554bd975d9848eff08f195c7794bb |
| SHA256 | fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4 |
| SHA512 | 650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69 |
memory/4652-240-0x0000000070490000-0x0000000070BA7000-memory.dmp
memory/4576-243-0x0000000000130000-0x0000000000564000-memory.dmp
memory/1952-245-0x00000000049E0000-0x00000000049F0000-memory.dmp
memory/4628-246-0x00000000026E0000-0x00000000026E1000-memory.dmp
memory/4628-248-0x0000000000900000-0x0000000000966000-memory.dmp
memory/4576-249-0x0000000000130000-0x0000000000564000-memory.dmp
memory/4576-250-0x0000000000870000-0x0000000000934000-memory.dmp
memory/4576-251-0x0000000000870000-0x0000000000934000-memory.dmp
memory/1952-253-0x00000000049E0000-0x00000000049F0000-memory.dmp
memory/4576-254-0x0000000000870000-0x0000000000934000-memory.dmp
memory/736-260-0x0000000001330000-0x00000000013F4000-memory.dmp
memory/4824-259-0x0000000001320000-0x00000000013E4000-memory.dmp
memory/1432-261-0x0000000000BB0000-0x0000000000C74000-memory.dmp
memory/1576-262-0x0000000001250000-0x0000000001314000-memory.dmp
memory/396-263-0x0000000000ED0000-0x0000000000F94000-memory.dmp
memory/4516-264-0x0000000000F30000-0x0000000000FF4000-memory.dmp
memory/2756-265-0x0000000004DE0000-0x0000000004EA4000-memory.dmp
memory/2144-266-0x0000000003C90000-0x0000000003D54000-memory.dmp
memory/2144-267-0x0000000077D83000-0x0000000077D84000-memory.dmp
memory/4392-269-0x0000000003940000-0x0000000003A04000-memory.dmp
memory/1952-270-0x0000000004A30000-0x0000000004AF4000-memory.dmp
memory/2144-268-0x0000000003C90000-0x0000000003D54000-memory.dmp
memory/3324-271-0x00000000032C0000-0x0000000003384000-memory.dmp
memory/1952-272-0x0000000004A30000-0x0000000004AF4000-memory.dmp
memory/4576-273-0x0000000000870000-0x0000000000934000-memory.dmp
memory/2756-274-0x0000000004DE0000-0x0000000004EA4000-memory.dmp
memory/1952-275-0x0000000004A30000-0x0000000004AF4000-memory.dmp
memory/1952-278-0x0000000004A30000-0x0000000004AF4000-memory.dmp
memory/1952-279-0x0000000004A30000-0x0000000004AF4000-memory.dmp
memory/1952-282-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/4576-281-0x0000000000870000-0x0000000000934000-memory.dmp
memory/4392-283-0x0000000077D83000-0x0000000077D84000-memory.dmp
memory/4576-287-0x0000000002B60000-0x0000000002B62000-memory.dmp
memory/4576-290-0x0000000000870000-0x0000000000934000-memory.dmp
memory/4984-296-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/3324-297-0x0000000077D83000-0x0000000077D84000-memory.dmp
memory/1952-300-0x0000000004A30000-0x0000000004AF4000-memory.dmp
memory/4984-301-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/4984-302-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/2756-303-0x0000000004DE0000-0x0000000004EA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wuhkhssx.eru.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |