Malware Analysis Report

2024-11-13 19:30

Sample ID 241107-bzm34sself
Target 142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597
SHA256 142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597
Tags
fabookie gcleaner nullmixer privateloader redline socelars 05v1user aspackv2 discovery dropper execution infostealer loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597

Threat Level: Known bad

The file 142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597 was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer privateloader redline socelars 05v1user aspackv2 discovery dropper execution infostealer loader spyware stealer

Socelars family

Fabookie

GCleaner

Privateloader family

Socelars payload

Gcleaner family

Nullmixer family

Redline family

Detect Fabookie payload

RedLine

RedLine payload

Socelars

NullMixer

Fabookie family

PrivateLoader

Detected Nirsoft tools

NirSoft WebBrowserPassView

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

ASPack v2.12-2.42

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up geolocation information via web service

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops Chrome extension

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 01:35

Reported

2024-11-07 01:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-9PJD6.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d53987_Sun167d37725.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1248c3618_Sun163d2f1a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124485050_Sun16393bc6d27.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12406f6aa_Sun162d98072de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123b5520c_Sun167e6e8e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9PJD6.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ANNTS.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e59c9ed.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4880 set thread context of 3692 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124687449_Sun160c8bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-ANNTS.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124485050_Sun16393bc6d27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12415525f_Sun165e4b43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d53987_Sun167d37725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1248c3618_Sun163d2f1a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12463c38c_Sun163f038f56b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123f27aeb_Sun16fd2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9PJD6.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e59c9ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754169462932367" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12406f6aa_Sun162d98072de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d53987_Sun167d37725.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe
PID 840 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe
PID 840 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe
PID 1336 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe
PID 2980 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe
PID 2980 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe
PID 1380 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe
PID 1380 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe
PID 1380 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe
PID 3636 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12406f6aa_Sun162d98072de.exe
PID 3636 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12406f6aa_Sun162d98072de.exe
PID 3404 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe
PID 3404 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe
PID 3404 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe
PID 1560 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe
PID 1560 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123b5520c_Sun167e6e8e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123c07201_Sun16eddc15d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d0b1da_Sun16b440cb5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d53987_Sun167d37725.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12406f6aa_Sun162d98072de.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12415525f_Sun165e4b43.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124390898_Sun1668743e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124485050_Sun16393bc6d27.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124581e67_Sun16f69cf5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12463c38c_Sun163f038f56b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124687449_Sun160c8bdb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1247ebe9a_Sun16487c750.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1248c3618_Sun163d2f1a2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1336 -ip 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 612

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe

61db124581e67_Sun16f69cf5.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe

61db124390898_Sun1668743e.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12406f6aa_Sun162d98072de.exe

61db12406f6aa_Sun162d98072de.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe

61db1247ebe9a_Sun16487c750.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe

61db123c07201_Sun16eddc15d.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe

61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d53987_Sun167d37725.exe

61db123d53987_Sun167d37725.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1248c3618_Sun163d2f1a2.exe

61db1248c3618_Sun163d2f1a2.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123f27aeb_Sun16fd2d2c6.exe

61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124485050_Sun16393bc6d27.exe

61db124485050_Sun16393bc6d27.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12415525f_Sun165e4b43.exe

61db12415525f_Sun165e4b43.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123b5520c_Sun167e6e8e5.exe

61db123b5520c_Sun167e6e8e5.exe

C:\Users\Admin\AppData\Local\Temp\is-9PJD6.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9PJD6.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$C0070,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12463c38c_Sun163f038f56b.exe

61db12463c38c_Sun163f038f56b.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124687449_Sun160c8bdb.exe

61db124687449_Sun160c8bdb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 408

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe

"C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe

"C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-ANNTS.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ANNTS.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$A0056,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 356

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1148 -ip 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1844

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61db124485050_Sun16393bc6d27.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124485050_Sun16393bc6d27.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2608 -ip 2608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1696

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61db124485050_Sun16393bc6d27.exe" /f

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff83cc6cc40,0x7ff83cc6cc4c,0x7ff83cc6cc58

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 548 -p 4904 -ip 4904

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3048 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3284,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3672,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 2060

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5252,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\gM~Z.Ibb

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5572,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5608 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4876,i,16585963361510962585,6619770819762761921,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e59c9ed.exe

"C:\Users\Admin\AppData\Local\Temp\e59c9ed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5548 -ip 5548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 kelenxz.xyz udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
FR 212.193.30.45:80 212.193.30.45 tcp
US 104.26.2.46:443 iplogger.org tcp
FR 212.193.30.45:443 tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 45.30.193.212.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 noplayboy.com udp
US 8.8.8.8:53 artmy.top udp
US 8.8.8.8:53 enahsmusic.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 104.26.2.46:80 iplogger.org tcp
US 8.8.8.8:53 enahsmusic.com udp
DE 88.99.35.59:63020 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:80 iplogger.org tcp
N/A 127.0.0.1:64215 tcp
N/A 127.0.0.1:64217 tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 funsystems.me udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 my-4ll-group.bar udp
US 8.8.8.8:53 m525-blockchain32.bar udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
N/A 224.0.0.251:5353 udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
DE 88.99.35.59:63020 tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
FR 77.233.110.97:8080 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\setup_install.exe

MD5 a60500da6ed682914acc9c9889ecdb30
SHA1 5ed444ae92eda90cb48a7eb692b7316bbdddcf2e
SHA256 dbd53a82efa7af241b40aa7036ac5967050d31c4aaea8b2d8b7f733f218b3ae9
SHA512 cff66730c208f49f0481173ebf71ff143714508d90489aec3eca7fc60fe038be6e74980734871c58dd83eb2b526c0545dfb48349db9384698f13e0c6666a08dc

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1336-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1248c3618_Sun163d2f1a2.exe

MD5 58a32a80e87073b560ddd8318975078c
SHA1 fa94fc82dfc3e8acfd0d33cc83c007c34ae46a04
SHA256 cda9a7862fc5a5b28b51448ad2676571012e282fbc652746e4df050d28fe1d59
SHA512 1a0edbddd301ca8b95b32a0491e73ba7de5ad3c5eade61c165a06adb97ea300491e9bfd4aa8c6d3fe0afac51a898d7e42dbeadb4a601a6fd57dcdf97bbc6841b

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db1247ebe9a_Sun16487c750.exe

MD5 d268fe46ea18023fbcd2bfcb52daae21
SHA1 96a4cd529d33b88096e1ef23d10dce348205e737
SHA256 d45f31cc5cbccbf3319a73964344536264c85909ca43d8639a437b3f47f38640
SHA512 1b39ec7d2f6087890e3d4ef2362418f02d18dc2b38535584ff8eda16f7db8fe604bcee65648e32a77dbc3f09e8057ac49407a3c721e06816815c60baebb91c75

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124687449_Sun160c8bdb.exe

MD5 f6c9b83f094c110a003c0a917109c77c
SHA1 7d5a70dc2630aaea4e274e967f6196a17ab89192
SHA256 44d800ab20b4e2681b036f60bdb50410fc5708ddae0ea1256193782c5f6c1797
SHA512 35dd96c5ea635d211eee5c9a7a05d2ea4e61dbbb2e6f0578b2149d9fddbfaf0488183704fff18c0ba79ae2506a6da4c9c55a7d8dcf4dcdf1b40bdd61ffdab9b5

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12463c38c_Sun163f038f56b.exe

MD5 14d0d4049bb131fb31dcb7b3736661e7
SHA1 927d885f395bc5ae04e442b9a56a6bd3908d1447
SHA256 427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5
SHA512 bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124581e67_Sun16f69cf5.exe

MD5 996061fe21353bf63874579cc6c090cc
SHA1 eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9
SHA256 b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a
SHA512 042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124485050_Sun16393bc6d27.exe

MD5 3284ebb732afafbe79f67d3bcc90835e
SHA1 385a968ae4f9a9849d4a236fd82ffd62d847e12e
SHA256 d0866023aa638155dc8f1f167c67f6f323475e22ae19a073e770e34dc08b2d60
SHA512 bbf6c08f81dce8e39b42822d579100bfcf13469226fc43a343988a782e47d3767e4e7211acbeb7d3a77395b32550ebed7bc05d50ba29c9e17dd572f751610745

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12415525f_Sun165e4b43.exe

MD5 7343332458864c6515115517f6d03472
SHA1 16836826d8dbe16b7e5832f90bc1b8065f5fb852
SHA256 2879d8d2187f5581a500d683c6c3fea8a94f9b3ef4f1913f36b5f5b928baa15e
SHA512 0264831861d58877f8f1e3e95f477509dc9381a66d54617b4a2b858843581e903a483048b6cf4452c21add68a96470228fba618f5e7d02cc13e429f0e8afe6ce

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db12406f6aa_Sun162d98072de.exe

MD5 8cb3f6ba5e7b3b4d71162a0846baaebd
SHA1 19543ffebd39ca3ed9296bfa127d04d4b00e422b
SHA256 a25bd95aeb2115ef24d3545fc11150200f567027c0673daf0bbeede99a651b4a
SHA512 451e5f10d4d9faccc03f529b89cd674a64f2157b0c58792165290ac65f590b03d4fc04820e48cd07431168e11c31c2090d3d68264b95277ad3c3f3df765967e1

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123f27aeb_Sun16fd2d2c6.exe

MD5 aa75aa3f07c593b1cd7441f7d8723e14
SHA1 f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256 af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512 b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d53987_Sun167d37725.exe

MD5 08f817588ebd16413a5081bfd5628f16
SHA1 9ae4bbfab9c1639dcd12a910f7fae8b027b16b44
SHA256 835689c6185fa6765c17ce947fcb0f5c1ceec8f405bedc15632d0743299a5882
SHA512 2a48dd89970f64e2858811795f24f2be0c98733bc66909baa73143394d708c0a3aaad498836ed912cc0f96c82482e01d920a73b1787291d2e38dda5fe2d44779

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123d0b1da_Sun16b440cb5.exe

MD5 3e52b9d96ebb916e79769c0ed601bb06
SHA1 f12d72f429e4f6126efe3aab708d057e761bd53c
SHA256 114613b6e775967d70c998abbf651018a21acbd9ea84dd0f7582ead6a9f07289
SHA512 ab981251eb64fd4616d8c3278df3cdcebe93f86cc9382adb4967869b83a3f7e3315449e2f3c7edba33b55f15ead7d0a78d39f9a7bc48901904e6ac3c5e4b9f71

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123c07201_Sun16eddc15d.exe

MD5 e2c982d6178375365eb7977c873b3a63
SHA1 f86b9f418a01fdb93018d10ad289f79cfa8a72ae
SHA256 d4b90392cc143ffe8cc6ec13a76f46280ebd1568c4426c5f7779abdc8f1804f6
SHA512 83c25a01288cc35d2c99cc3176b3bf3b10d940141093f7a160a843a8e330315066c4751a423df2147f6f2def01332dbcfe539b469a74de4c2605d74ed9c39f1d

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db123b5520c_Sun167e6e8e5.exe

MD5 29fa0d00300d275c04b2d0cc3b969c57
SHA1 329b7fbe6ba9ceca9507af8adec6771799c2e841
SHA256 28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
SHA512 4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411

memory/1336-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1336-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\61db124390898_Sun1668743e.exe

MD5 f3fa68a9fe766e5c40c56e41754b27a7
SHA1 f3f6a7e1bb2a8724d1e9278be4dbcc25c64e8a14
SHA256 301b9f12179808e82d295dd32c037172fe57b365bdf7f66acbe89e6cf34a5b92
SHA512 027ee5d7f6844474d5520f292763331ebad80449ac7908c209dd8b40654d4ac3ee30d63ac3029c24b83c74a6e42f74cff40b5978f6f7d668496660f2653772bf

memory/1336-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1336-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1336-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1336-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1336-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1336-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1336-66-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1336-65-0x0000000000F30000-0x0000000000FBF000-memory.dmp

memory/1336-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1336-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1336-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1336-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS843BE7B7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1608-117-0x0000000000400000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U4CAC.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/5060-130-0x00000000007B0000-0x00000000007C0000-memory.dmp

memory/1556-131-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/4880-132-0x0000000004F30000-0x0000000004FA6000-memory.dmp

memory/4880-133-0x0000000004F00000-0x0000000004F1E000-memory.dmp

memory/3292-120-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

memory/1608-118-0x0000000076940000-0x0000000076B55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9PJD6.tmp\61db124581e67_Sun16f69cf5.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4380-142-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4880-143-0x0000000005880000-0x0000000005E24000-memory.dmp

memory/2188-138-0x0000000000400000-0x0000000000414000-memory.dmp

memory/636-109-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/4880-113-0x0000000000640000-0x00000000006CA000-memory.dmp

memory/1608-112-0x0000000000910000-0x0000000000911000-memory.dmp

memory/1608-110-0x0000000000400000-0x0000000000602000-memory.dmp

memory/1608-105-0x0000000000400000-0x0000000000602000-memory.dmp

memory/664-102-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/4868-96-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4868-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3292-155-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/1336-175-0x0000000000F30000-0x0000000000FBF000-memory.dmp

memory/636-192-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UGMB2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1336-174-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3292-185-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

memory/1336-168-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1336-167-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1336-165-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3292-154-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/3292-153-0x0000000005920000-0x0000000005942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3dokr4b.4qf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1336-173-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1336-156-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3292-204-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/3292-209-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/2248-213-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61db123d0b1da_Sun16b440cb5.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3692-222-0x0000000005870000-0x000000000597A000-memory.dmp

memory/3692-220-0x0000000005B80000-0x0000000006198000-memory.dmp

memory/3692-226-0x00000000057A0000-0x00000000057DC000-memory.dmp

memory/3692-219-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3692-221-0x0000000005600000-0x0000000005612000-memory.dmp

memory/2496-225-0x0000000002C20000-0x0000000003C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 ba3a98e2a1faacf0ad668b4e9582a109
SHA1 1160c029a6257f776a6ed1cfdc09ae158d613ae3
SHA256 8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5
SHA512 d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

memory/3292-231-0x0000000007070000-0x00000000070A2000-memory.dmp

memory/3292-243-0x0000000007120000-0x00000000071C3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 6bb2e90552d458601a8399903f903547
SHA1 47dc92e40544e91e2fbfa4c3e3b22bae1fc5d0fd
SHA256 50c470d72a95f3904bd7c77c07c81cfe12890c774c8c2ac560ce7475dc9bf1fb
SHA512 0c7215ab940bd6d177ff2ca97e370a799d819d71134cfbb7ac8512424ac92281c243b83f7cbd8435f3daa89dd7509cbcb36f781e64167451665f009429e3d4c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 3c0e335dcf8e3a457d2b0b926a939092
SHA1 f1c4e15429b825b22854a42d5bf081d48d77d843
SHA256 9844c07a2c631acdd73d81d7c7b5a45ca4d1671feeb32d013d23b74b1aee36a6
SHA512 471b28d446467c9cd19caa61f3196b4c0fc167f971330d5a9889e99d226493e1d2b588d01da98515182cb815240857ef94f3e9296882be994a0b338207afcb99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

memory/1556-244-0x000000006DD40000-0x000000006DD8C000-memory.dmp

memory/3292-242-0x0000000006630000-0x000000000664E000-memory.dmp

memory/3292-232-0x000000006DD40000-0x000000006DD8C000-memory.dmp

memory/3292-259-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/3292-258-0x0000000007A50000-0x00000000080CA000-memory.dmp

memory/3292-260-0x0000000007440000-0x000000000744A000-memory.dmp

memory/1556-261-0x0000000007C60000-0x0000000007CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/1556-264-0x0000000007BF0000-0x0000000007C01000-memory.dmp

memory/1556-265-0x0000000007C20000-0x0000000007C2E000-memory.dmp

memory/1556-271-0x0000000007C30000-0x0000000007C44000-memory.dmp

memory/1608-268-0x0000000076940000-0x0000000076B55000-memory.dmp

memory/1608-269-0x00000000758A0000-0x000000007595F000-memory.dmp

memory/1608-270-0x0000000000400000-0x0000000000602000-memory.dmp

memory/2608-266-0x0000000000400000-0x0000000002B95000-memory.dmp

memory/1556-272-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/2496-274-0x000000002DA10000-0x000000002DABF000-memory.dmp

memory/1556-275-0x0000000007D10000-0x0000000007D18000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3cd3cda70f6bf2bff1a89d08e3d3a371
SHA1 b86f52f64c75fea06f6f90465810b5d37fbd0a18
SHA256 6009213be6b659c55322487ab114fe1ae4f7976ccc2318fec61f0ff1f6d6eada
SHA512 00d6ed578588341ba439d82fd69d16d84be385957963bfb43d9f5b72873c43100befb3ff45056c412a0c84e6d263e1a39536868cb872e350732ac8237a15725b

memory/2496-281-0x000000002DAC0000-0x000000002DB5C000-memory.dmp

memory/2496-284-0x000000002DAC0000-0x000000002DB5C000-memory.dmp

memory/2496-282-0x000000002DAC0000-0x000000002DB5C000-memory.dmp

memory/3284-286-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2188-300-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2412-304-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2496-316-0x0000000002C20000-0x0000000003C20000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b5fd36c9d53a267711cd734efb4b7943
SHA1 cc6680d8f2fff14ae0cb7134ca66a50e022716a8
SHA256 85533f8f581b8629379c63e3158d7dbbbb819839824e4c3a362f056c3fbfac4f
SHA512 0862156b933fb011957e00ce6fd72b2aa6498668cc8a8e75bd3ea36f658b388b7a16c03641be53b5aaab953022567aa16e4a94c2087b67514f9980b30f022e82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 79c17e311fc1c6ba2fa55f53b1171562
SHA1 db4cdb9c381f18eabc9458be02db2834117b6004
SHA256 ef747ccbc4f45cac321190d2cd1a7a27e1b728ed20f6592f81a59cd737cf7488
SHA512 94168a2fe71738023eee3570e0a43c577fd747fda5d68498514ab84aafe5501783e5948ca95e882b5e12492a1d437cc0e3599e6ab6ae1e3d3b0b31daa715f6bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e485d986-30a6-481a-a825-5ab7258ad0db.tmp

MD5 5a67def805dfaf68b60a571bbd637446
SHA1 33f24692866d6417e70663af2e8f2bb4a340085a
SHA256 661856e5816dee53d1fd8ea0485c6537d8a9eb9774136412cd97943eaff0f9c1
SHA512 94d8e15b301cfbfd35fbd22458aa6a0aa77cf0d5d292a114bcd427a724086095cfdc6b5570fd8c2bdbe0a623b4879a6b61af7b8fac3084bed5d35dd204165973

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1173230f79922689a7220a3ec6676b7c
SHA1 fb65044b893f257679f0f9800b60ab43077fa56f
SHA256 1157d9a6d0bfd842fd4efaeca3b2c6ddf0088a0b46394528d721d7c39b1c880d
SHA512 4abc307a039ec0c7857636364a8b9bb6bcf4cd8d6d886633508370cf1a787247c300191c78a426035208536dcb0f9dab335d9939c92ebb4ec764f6226c4bb3b4

memory/1608-373-0x0000000074DF0000-0x0000000075071000-memory.dmp

memory/1608-374-0x0000000000860000-0x0000000000893000-memory.dmp

memory/1608-385-0x0000000070D50000-0x0000000070DD9000-memory.dmp

memory/1608-384-0x0000000002D00000-0x0000000002D24000-memory.dmp

memory/1608-383-0x0000000076B60000-0x0000000076C43000-memory.dmp

memory/1608-386-0x0000000076080000-0x0000000076633000-memory.dmp

memory/1608-420-0x0000000000400000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3b9248f6d2a5168204814c227167ac71
SHA1 b92776e6c1b5d37a27af1bc5184072c3615bece4
SHA256 86be6b27720f617de582001abc1556f048b1944ff455f2a61007249b3c3bf218
SHA512 075ffc12300bbe4f08ff1f5cfd21e32f3d8bf9d883c260750913b9d8e0f9af475007353722ac395081a6e45f3e9a85a29c7c8c5bcfee093a89fbb7d381b9203b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 9c01424a6b24c1438f2818eca0d41f5f
SHA1 7ecc4535b374b8b3791a913ff82ebd417cb887bd
SHA256 284270bed4ea6e87237d82e2386e3bc1c06828b3660f546c0717d691b6fe7408
SHA512 c23e281d0b73da54bd3325bf15e3166842e51f5db030240b238cf47596f7c73aea6a9cfde2c00f763301e978d6f053524750817eec70299a307d20ff9cbe02e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f44de9241f4a0ccdb07bedc703d9673a
SHA1 c9d13662b721fa3373753d75a7729ba0872d3ea7
SHA256 3fdeeb2c04a6f2108414fbaf6e0abaebb0db43e6966787241a2bf282ccf8b6f2
SHA512 127d97cd8becfc7cbaebcdb7304fe6aa0bbcc37e3ba35ab1cedb17db2a3ae599f68504a2ccf054877a1c5da7f3495728b399e5d60a82003a722a713d0a14ce0c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7d1866cf55dffdaa7ee155d196215cc0
SHA1 784bb6b05997a043b7f041a604af1e79ac524508
SHA256 6e3a23dc853176cf8cf280978bc49fa2023cf682428dc13733c6271e641d1199
SHA512 b3580722336d91491ecbc6f3c9c040e26ea0e99f2524ffd22a7c285e631147af3e582cf0865930de0db62a035c1af6721fd36153df58e9877b8de6bc3c717aad

C:\Users\Admin\AppData\Local\Temp\scoped_dir3600_1678504977\15d151e6-fdde-451c-96ae-e0c9428f1fb6.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1ffc64e8e30fd5324f93518143905041
SHA1 50bd23b3545ddbe4e20b220991bd77b9299e19a0
SHA256 2ddd8445023f44da27a073e3cf8c4167e94d1f6c92ca81d0b0e6b252b283837b
SHA512 795eb474c5108c620c9b501366ec79b1e23448d0a7a9f3c7978ebc813ee3e2c15bbcdb0b3e8c86bebdd81fab0e250ac21aa42298c52de2c5fdf43e2d017d0a05

C:\Users\Admin\AppData\Local\Temp\scoped_dir3600_1678504977\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 bcac2bb38ea43b0416aefd00d3514c66
SHA1 c079aea6aa8d96f266c90e15b23643ac72017a23
SHA256 f6c738810ec92ec5bc17b30587148c0204c34f05061f0c5c5f180e64ea04059a
SHA512 eb59151e78b1c3edc8f5d32eca3151affff7e9c4fc8f5ed1c5b5522ca8c9a1d6fb250a36e7474291f61b07b04107a0a9152858aa03aee1d11d5f4b4916d545c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 41d9bc34bd6e7381c524257be21c0586
SHA1 691be1d8241505d97471ceb0767c6003134a63be
SHA256 d447e3f3b4a54528dc9ebb155dedd9ffcdd3cfb2a76c091880612c568ade5f45
SHA512 4fbc41b5aa1b2f579a0371ab5e5413a1abd807ee116ac0f3d6adbf73096ed2dd08e7eb6be89b9200a0fd2d5ff798e52907fe9d0501556ecb27e1f2f8b8fa7e15

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 2519d4582cd2c54222ce71e26acdeb31
SHA1 a73356f8fbe75b5222aa9b65f740a7491dfd52ff
SHA256 a614b9f43e9a33c7c7fa7e961183929cecb874acbe4b8a93fa46601f8f29ac60
SHA512 95e09b5a4f4e8a35f4ba835ed504efeefa3d13817cce190b3114d874deeefafe71acd000fde411000ad893d307aabe6d3d38d0637b9d2c2cf888aea043d629b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 38a900909c4815f995f33b1f46c47ec4
SHA1 f57ff7d67b38c9b3d78dbb1bc9c9e98026e4d442
SHA256 675ce1e281eac4bc59acfa8c9469eed98c86f5bef915d665b0d6cbab85f58e78
SHA512 c993553dce25e0ec16ac73a9bae8dee32fa344a6adfc02c981f1470e938eed9bf1d03223cef6ad5a9af3a8b69c6a4987f5dffacb7ba13c272a4506d78fad413c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 297ca8434e740e296aa8bca8dcdcba2d
SHA1 8858beb47c6c719228c793f2984d9a3a79b7b33c
SHA256 f39b31b6ff21049d249681a2d055be0c4070f0fbaadaf22889c0b557232f0f45
SHA512 a2b782d2946afa9ddded570c3d9cf8c4f55691a0c7ecff8b0003a3bbac85820826f6f79a0f7d44f5bff6d288cfdb3bfd3ba103b8a657d724299c7373f392a0b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 434c3b8bf8422eb98ff2af6dfdd8109e
SHA1 5638bb727f6495101a5f334cbd7b224f15e9bf10
SHA256 a72b4c96ca696ba3d5c3701eeaf46aba9a9aadd06fc65f5faefc9c51ceae033a
SHA512 4ce1f2e72bbd539c8cb594dad9e26d71bc54b227f459dfd5858644de6663d45f85904eb41bfc443f00e669423108914101929067daac7940efcf27423103a6e0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4ad88cc349841060cd8d88409b995ae8
SHA1 2f45cae7936b01ab9192d8cd284ae8145c1c0ab2
SHA256 b5d171350550dc7e0ad0de446a49ec023b66f484626c25d53654871af3b0bffd
SHA512 b27afec9f51794c760416d1a826dab4b980cff01336cdc38a2c8e065a8f9869a48b5b605ed191d4b2d435520974db58d81dc89c6a9e99322102764e4af38e427

C:\Users\Admin\AppData\Local\Temp\e59c9ed.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/5548-1009-0x0000000000C30000-0x0000000000C38000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 01:35

Reported

2024-11-07 01:37

Platform

win7-20241023-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12406f6aa_Sun162d98072de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123b5520c_Sun167e6e8e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HISFE.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-66GL3.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-66GL3.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124687449_Sun160c8bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124390898_Sun1668743e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-HISFE.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123f27aeb_Sun16fd2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12463c38c_Sun163f038f56b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1248c3618_Sun163d2f1a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-66GL3.tmp\61db124581e67_Sun16f69cf5.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12406f6aa_Sun162d98072de.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe

"C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123b5520c_Sun167e6e8e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123c07201_Sun16eddc15d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d0b1da_Sun16b440cb5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d53987_Sun167d37725.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12406f6aa_Sun162d98072de.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12415525f_Sun165e4b43.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124390898_Sun1668743e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124485050_Sun16393bc6d27.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124581e67_Sun16f69cf5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12463c38c_Sun163f038f56b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124687449_Sun160c8bdb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1247ebe9a_Sun16487c750.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1248c3618_Sun163d2f1a2.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124390898_Sun1668743e.exe

61db124390898_Sun1668743e.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe

61db123d53987_Sun167d37725.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124687449_Sun160c8bdb.exe

61db124687449_Sun160c8bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe

61db124581e67_Sun16f69cf5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe

61db123c07201_Sun16eddc15d.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12406f6aa_Sun162d98072de.exe

61db12406f6aa_Sun162d98072de.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1248c3618_Sun163d2f1a2.exe

61db1248c3618_Sun163d2f1a2.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12463c38c_Sun163f038f56b.exe

61db12463c38c_Sun163f038f56b.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe" -u

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe

61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe

61db12415525f_Sun165e4b43.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe

61db124485050_Sun16393bc6d27.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123f27aeb_Sun16fd2d2c6.exe

61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123b5520c_Sun167e6e8e5.exe

61db123b5520c_Sun167e6e8e5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 264

C:\Users\Admin\AppData\Local\Temp\is-HISFE.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HISFE.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$7019C,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe

61db1247ebe9a_Sun16487c750.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-66GL3.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-66GL3.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$8019C,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1476

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1952 -s 472

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61db124485050_Sun16393bc6d27.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61db124485050_Sun16393bc6d27.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1660

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\gM~Z.Ibb

Network

Country Destination Domain Proto
US 8.8.8.8:53 kelenxz.xyz udp
FR 212.193.30.45:80 212.193.30.45 tcp
FR 212.193.30.45:443 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 212.193.30.45:443 tcp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 noplayboy.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 enahsmusic.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 artmy.top udp
DE 88.99.35.59:63020 tcp
N/A 127.0.0.1:49298 tcp
N/A 127.0.0.1:49300 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 enahsmusic.com udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 funsystems.me udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 my-4ll-group.bar udp
US 8.8.8.8:53 m525-blockchain32.bar udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
FR 77.233.110.97:8080 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
FR 77.233.110.97:8080 tcp
DE 88.99.35.59:63020 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 5b6344c2ddb1d86060aeb6d04c350dcf
SHA1 e4a8de11e6c96ce7d694e3f4df3664ede33d130d
SHA256 fb8b312e5517e293c3e30b6be43be639ec013a4ff4660103bf2065586fd74703
SHA512 340517de0b25f8fb2a18439a26335a9c1b0f3afb5f0cde3dd5562afdb9a435660ae1d53bacd01f31ea6a9708a7e0862e0868ff545735958788d789fc54ec9eaa

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\setup_install.exe

MD5 a60500da6ed682914acc9c9889ecdb30
SHA1 5ed444ae92eda90cb48a7eb692b7316bbdddcf2e
SHA256 dbd53a82efa7af241b40aa7036ac5967050d31c4aaea8b2d8b7f733f218b3ae9
SHA512 cff66730c208f49f0481173ebf71ff143714508d90489aec3eca7fc60fe038be6e74980734871c58dd83eb2b526c0545dfb48349db9384698f13e0c6666a08dc

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/768-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/768-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124687449_Sun160c8bdb.exe

MD5 f6c9b83f094c110a003c0a917109c77c
SHA1 7d5a70dc2630aaea4e274e967f6196a17ab89192
SHA256 44d800ab20b4e2681b036f60bdb50410fc5708ddae0ea1256193782c5f6c1797
SHA512 35dd96c5ea635d211eee5c9a7a05d2ea4e61dbbb2e6f0578b2149d9fddbfaf0488183704fff18c0ba79ae2506a6da4c9c55a7d8dcf4dcdf1b40bdd61ffdab9b5

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1248c3618_Sun163d2f1a2.exe

MD5 58a32a80e87073b560ddd8318975078c
SHA1 fa94fc82dfc3e8acfd0d33cc83c007c34ae46a04
SHA256 cda9a7862fc5a5b28b51448ad2676571012e282fbc652746e4df050d28fe1d59
SHA512 1a0edbddd301ca8b95b32a0491e73ba7de5ad3c5eade61c165a06adb97ea300491e9bfd4aa8c6d3fe0afac51a898d7e42dbeadb4a601a6fd57dcdf97bbc6841b

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d53987_Sun167d37725.exe

MD5 08f817588ebd16413a5081bfd5628f16
SHA1 9ae4bbfab9c1639dcd12a910f7fae8b027b16b44
SHA256 835689c6185fa6765c17ce947fcb0f5c1ceec8f405bedc15632d0743299a5882
SHA512 2a48dd89970f64e2858811795f24f2be0c98733bc66909baa73143394d708c0a3aaad498836ed912cc0f96c82482e01d920a73b1787291d2e38dda5fe2d44779

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12406f6aa_Sun162d98072de.exe

MD5 8cb3f6ba5e7b3b4d71162a0846baaebd
SHA1 19543ffebd39ca3ed9296bfa127d04d4b00e422b
SHA256 a25bd95aeb2115ef24d3545fc11150200f567027c0673daf0bbeede99a651b4a
SHA512 451e5f10d4d9faccc03f529b89cd674a64f2157b0c58792165290ac65f590b03d4fc04820e48cd07431168e11c31c2090d3d68264b95277ad3c3f3df765967e1

\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124390898_Sun1668743e.exe

MD5 f3fa68a9fe766e5c40c56e41754b27a7
SHA1 f3f6a7e1bb2a8724d1e9278be4dbcc25c64e8a14
SHA256 301b9f12179808e82d295dd32c037172fe57b365bdf7f66acbe89e6cf34a5b92
SHA512 027ee5d7f6844474d5520f292763331ebad80449ac7908c209dd8b40654d4ac3ee30d63ac3029c24b83c74a6e42f74cff40b5978f6f7d668496660f2653772bf

\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124581e67_Sun16f69cf5.exe

MD5 996061fe21353bf63874579cc6c090cc
SHA1 eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9
SHA256 b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a
SHA512 042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db1247ebe9a_Sun16487c750.exe

MD5 d268fe46ea18023fbcd2bfcb52daae21
SHA1 96a4cd529d33b88096e1ef23d10dce348205e737
SHA256 d45f31cc5cbccbf3319a73964344536264c85909ca43d8639a437b3f47f38640
SHA512 1b39ec7d2f6087890e3d4ef2362418f02d18dc2b38535584ff8eda16f7db8fe604bcee65648e32a77dbc3f09e8057ac49407a3c721e06816815c60baebb91c75

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12463c38c_Sun163f038f56b.exe

MD5 14d0d4049bb131fb31dcb7b3736661e7
SHA1 927d885f395bc5ae04e442b9a56a6bd3908d1447
SHA256 427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5
SHA512 bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db124485050_Sun16393bc6d27.exe

MD5 3284ebb732afafbe79f67d3bcc90835e
SHA1 385a968ae4f9a9849d4a236fd82ffd62d847e12e
SHA256 d0866023aa638155dc8f1f167c67f6f323475e22ae19a073e770e34dc08b2d60
SHA512 bbf6c08f81dce8e39b42822d579100bfcf13469226fc43a343988a782e47d3767e4e7211acbeb7d3a77395b32550ebed7bc05d50ba29c9e17dd572f751610745

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db12415525f_Sun165e4b43.exe

MD5 7343332458864c6515115517f6d03472
SHA1 16836826d8dbe16b7e5832f90bc1b8065f5fb852
SHA256 2879d8d2187f5581a500d683c6c3fea8a94f9b3ef4f1913f36b5f5b928baa15e
SHA512 0264831861d58877f8f1e3e95f477509dc9381a66d54617b4a2b858843581e903a483048b6cf4452c21add68a96470228fba618f5e7d02cc13e429f0e8afe6ce

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123f27aeb_Sun16fd2d2c6.exe

MD5 aa75aa3f07c593b1cd7441f7d8723e14
SHA1 f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256 af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512 b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123d0b1da_Sun16b440cb5.exe

MD5 3e52b9d96ebb916e79769c0ed601bb06
SHA1 f12d72f429e4f6126efe3aab708d057e761bd53c
SHA256 114613b6e775967d70c998abbf651018a21acbd9ea84dd0f7582ead6a9f07289
SHA512 ab981251eb64fd4616d8c3278df3cdcebe93f86cc9382adb4967869b83a3f7e3315449e2f3c7edba33b55f15ead7d0a78d39f9a7bc48901904e6ac3c5e4b9f71

C:\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123b5520c_Sun167e6e8e5.exe

MD5 29fa0d00300d275c04b2d0cc3b969c57
SHA1 329b7fbe6ba9ceca9507af8adec6771799c2e841
SHA256 28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
SHA512 4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411

\Users\Admin\AppData\Local\Temp\7zSCFA88D56\61db123c07201_Sun16eddc15d.exe

MD5 e2c982d6178375365eb7977c873b3a63
SHA1 f86b9f418a01fdb93018d10ad289f79cfa8a72ae
SHA256 d4b90392cc143ffe8cc6ec13a76f46280ebd1568c4426c5f7779abdc8f1804f6
SHA512 83c25a01288cc35d2c99cc3176b3bf3b10d940141093f7a160a843a8e330315066c4751a423df2147f6f2def01332dbcfe539b469a74de4c2605d74ed9c39f1d

memory/1940-129-0x0000000001070000-0x0000000001078000-memory.dmp

memory/2136-133-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1540-143-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8UCH8WM897WL40QSOKZD.temp

MD5 e1fafae53b9f1b873e18393cfb72cfea
SHA1 9a7149eefe1adf1c7f14076699f624003f0bb0bb
SHA256 9fc1aac09f915e926f55b63649001861142983705868fc76f9c1ffa7cb2d8439
SHA512 b1665f817f505ed6a81bf15592ea420898b51d81577ca7c043ba25e6f97e23102949ba37c28f49ab3e11f3d77f189c1a75e718d9b2204e4ad02dcd324c77942d

memory/1540-142-0x0000000000400000-0x0000000000602000-memory.dmp

memory/1540-147-0x0000000000B70000-0x0000000000D72000-memory.dmp

memory/1540-146-0x0000000000400000-0x0000000000602000-memory.dmp

memory/2092-145-0x0000000002760000-0x0000000002962000-memory.dmp

memory/1540-149-0x0000000077150000-0x0000000077197000-memory.dmp

memory/1540-151-0x0000000000B70000-0x0000000000D72000-memory.dmp

memory/2092-144-0x0000000002760000-0x0000000002962000-memory.dmp

memory/1540-148-0x0000000000400000-0x0000000000602000-memory.dmp

memory/1540-150-0x0000000077710000-0x00000000777BC000-memory.dmp

memory/3008-152-0x00000000027A0000-0x000000000287E000-memory.dmp

memory/2560-153-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/768-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/768-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2296-166-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2744-168-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2136-167-0x0000000000400000-0x0000000000414000-memory.dmp

memory/768-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/768-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/768-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/768-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/768-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-66GL3.tmp\61db124581e67_Sun16f69cf5.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-NTLHL.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\is-NTLHL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/768-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCFA88D56\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/768-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/768-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCFA88D56\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2180-181-0x0000000000D00000-0x0000000000D8A000-memory.dmp

memory/2904-180-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/768-187-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/768-189-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2092-191-0x0000000002760000-0x0000000002962000-memory.dmp

memory/768-190-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1540-192-0x0000000000B70000-0x0000000000D72000-memory.dmp

memory/768-188-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/768-186-0x0000000064940000-0x0000000064959000-memory.dmp

memory/768-185-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3040-196-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 ba3a98e2a1faacf0ad668b4e9582a109
SHA1 1160c029a6257f776a6ed1cfdc09ae158d613ae3
SHA256 8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5
SHA512 d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

memory/1540-228-0x0000000000B70000-0x0000000000D72000-memory.dmp

memory/1540-227-0x0000000000400000-0x0000000000602000-memory.dmp

memory/2092-226-0x0000000002760000-0x0000000002962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA045.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2560-233-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3032-234-0x0000000002780000-0x0000000003780000-memory.dmp

memory/1540-237-0x0000000077150000-0x0000000077197000-memory.dmp

memory/1540-238-0x0000000077710000-0x00000000777BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 7165e9d7456520d1f1644aa26da7c423
SHA1 177f9116229a021e24f80c4059999c4c52f9e830
SHA256 40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512 fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

memory/2000-246-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2744-247-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1980-248-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1348-260-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1980-259-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1980-258-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1980-257-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1980-256-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1980-254-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1980-252-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1980-250-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3032-264-0x000000002D270000-0x000000002D31F000-memory.dmp

memory/768-265-0x0000000000400000-0x000000000051C000-memory.dmp

memory/768-266-0x0000000064940000-0x0000000064959000-memory.dmp

memory/768-272-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/768-271-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/768-269-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/768-273-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3032-279-0x000000002D630000-0x000000002D6CC000-memory.dmp

memory/3032-280-0x0000000002780000-0x0000000003780000-memory.dmp

memory/3032-277-0x000000002D630000-0x000000002D6CC000-memory.dmp

memory/3032-276-0x000000002D630000-0x000000002D6CC000-memory.dmp

memory/1116-285-0x0000000000400000-0x0000000002B95000-memory.dmp

memory/1540-308-0x0000000002850000-0x0000000002874000-memory.dmp

memory/1540-452-0x0000000000400000-0x0000000000602000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 01:35

Reported

2024-11-07 01:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d53987_Sun167d37725.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1248c3618_Sun163d2f1a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-0K4QT.tmp\61db124581e67_Sun16f69cf5.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123b5520c_Sun167e6e8e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12406f6aa_Sun162d98072de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0K4QT.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EEUUV.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e59ac53.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4460 set thread context of 5024 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d53987_Sun167d37725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0K4QT.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1248c3618_Sun163d2f1a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-EEUUV.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12463c38c_Sun163f038f56b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123f27aeb_Sun16fd2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e59ac53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12415525f_Sun165e4b43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124687449_Sun160c8bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754169467560160" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12406f6aa_Sun162d98072de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d53987_Sun167d37725.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3492 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3492 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe
PID 1948 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe
PID 1948 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe
PID 3588 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 3588 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 3588 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 3588 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe
PID 3144 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe
PID 3144 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe
PID 3804 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe
PID 3804 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe
PID 3804 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe
PID 4156 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4156 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4156 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe

"C:\Users\Admin\AppData\Local\Temp\cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123b5520c_Sun167e6e8e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123c07201_Sun16eddc15d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d0b1da_Sun16b440cb5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d53987_Sun167d37725.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12406f6aa_Sun162d98072de.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12415525f_Sun165e4b43.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124390898_Sun1668743e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124485050_Sun16393bc6d27.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124581e67_Sun16f69cf5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12463c38c_Sun163f038f56b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124687449_Sun160c8bdb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1247ebe9a_Sun16487c750.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1248c3618_Sun163d2f1a2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe

61db124485050_Sun16393bc6d27.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe

61db124390898_Sun1668743e.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12415525f_Sun165e4b43.exe

61db12415525f_Sun165e4b43.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124687449_Sun160c8bdb.exe

61db124687449_Sun160c8bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123b5520c_Sun167e6e8e5.exe

61db123b5520c_Sun167e6e8e5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe

61db124581e67_Sun16f69cf5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12406f6aa_Sun162d98072de.exe

61db12406f6aa_Sun162d98072de.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe

61db123c07201_Sun16eddc15d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe

61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12463c38c_Sun163f038f56b.exe

61db12463c38c_Sun163f038f56b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123f27aeb_Sun16fd2d2c6.exe

61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3588 -ip 3588

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d53987_Sun167d37725.exe

61db123d53987_Sun167d37725.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe

61db1247ebe9a_Sun16487c750.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1248c3618_Sun163d2f1a2.exe

61db1248c3618_Sun163d2f1a2.exe

C:\Users\Admin\AppData\Local\Temp\is-0K4QT.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0K4QT.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$40294,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2240 -ip 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 408

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-EEUUV.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EEUUV.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$90284,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\gM~Z.Ibb

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2696 -ip 2696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 356

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1824

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61db124485050_Sun16393bc6d27.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1740

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61db124485050_Sun16393bc6d27.exe" /f

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd2a69cc40,0x7ffd2a69cc4c,0x7ffd2a69cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4520,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4360,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5076,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 2040

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3640 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=208 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3660,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:2

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\gM~Z.Ibb

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4888,i,16893999145236291039,2750123677625834690,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e59ac53.exe

"C:\Users\Admin\AppData\Local\Temp\e59ac53.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 740 -ip 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 kelenxz.xyz udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FR 212.193.30.45:80 212.193.30.45 tcp
US 8.8.8.8:53 www.listincode.com udp
US 45.144.225.57:80 tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 45.30.193.212.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 enahsmusic.com udp
US 8.8.8.8:53 artmy.top udp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 enahsmusic.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 noplayboy.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 104.26.3.46:80 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.hhiuew33.com udp
N/A 127.0.0.1:54292 tcp
N/A 127.0.0.1:54294 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 104.26.3.46:443 iplogger.org tcp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.204.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 65.204.58.216.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
N/A 224.0.0.251:5353 udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 funsystems.me udp
US 8.8.8.8:53 my-4ll-group.bar udp
US 8.8.8.8:53 m525-blockchain32.bar udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
FR 77.233.110.97:8080 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
DE 88.99.35.59:63020 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.3.46:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 5b6344c2ddb1d86060aeb6d04c350dcf
SHA1 e4a8de11e6c96ce7d694e3f4df3664ede33d130d
SHA256 fb8b312e5517e293c3e30b6be43be639ec013a4ff4660103bf2065586fd74703
SHA512 340517de0b25f8fb2a18439a26335a9c1b0f3afb5f0cde3dd5562afdb9a435660ae1d53bacd01f31ea6a9708a7e0862e0868ff545735958788d789fc54ec9eaa

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\setup_install.exe

MD5 a60500da6ed682914acc9c9889ecdb30
SHA1 5ed444ae92eda90cb48a7eb692b7316bbdddcf2e
SHA256 dbd53a82efa7af241b40aa7036ac5967050d31c4aaea8b2d8b7f733f218b3ae9
SHA512 cff66730c208f49f0481173ebf71ff143714508d90489aec3eca7fc60fe038be6e74980734871c58dd83eb2b526c0545dfb48349db9384698f13e0c6666a08dc

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3588-78-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3588-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3588-87-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1248c3618_Sun163d2f1a2.exe

MD5 58a32a80e87073b560ddd8318975078c
SHA1 fa94fc82dfc3e8acfd0d33cc83c007c34ae46a04
SHA256 cda9a7862fc5a5b28b51448ad2676571012e282fbc652746e4df050d28fe1d59
SHA512 1a0edbddd301ca8b95b32a0491e73ba7de5ad3c5eade61c165a06adb97ea300491e9bfd4aa8c6d3fe0afac51a898d7e42dbeadb4a601a6fd57dcdf97bbc6841b

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db1247ebe9a_Sun16487c750.exe

MD5 d268fe46ea18023fbcd2bfcb52daae21
SHA1 96a4cd529d33b88096e1ef23d10dce348205e737
SHA256 d45f31cc5cbccbf3319a73964344536264c85909ca43d8639a437b3f47f38640
SHA512 1b39ec7d2f6087890e3d4ef2362418f02d18dc2b38535584ff8eda16f7db8fe604bcee65648e32a77dbc3f09e8057ac49407a3c721e06816815c60baebb91c75

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124581e67_Sun16f69cf5.exe

MD5 996061fe21353bf63874579cc6c090cc
SHA1 eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9
SHA256 b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a
SHA512 042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d0b1da_Sun16b440cb5.exe

MD5 3e52b9d96ebb916e79769c0ed601bb06
SHA1 f12d72f429e4f6126efe3aab708d057e761bd53c
SHA256 114613b6e775967d70c998abbf651018a21acbd9ea84dd0f7582ead6a9f07289
SHA512 ab981251eb64fd4616d8c3278df3cdcebe93f86cc9382adb4967869b83a3f7e3315449e2f3c7edba33b55f15ead7d0a78d39f9a7bc48901904e6ac3c5e4b9f71

memory/2980-119-0x00000000009B0000-0x00000000009B8000-memory.dmp

memory/4460-126-0x00000000003C0000-0x000000000044A000-memory.dmp

memory/3960-130-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/3584-132-0x0000000000B60000-0x0000000000B70000-memory.dmp

memory/4460-134-0x0000000004C80000-0x0000000004C9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0K4QT.tmp\61db124581e67_Sun16f69cf5.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-QBV1H.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4460-131-0x0000000004CA0000-0x0000000004D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bq3bv1er.uvv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4460-162-0x0000000005600000-0x0000000005BA4000-memory.dmp

memory/3960-164-0x0000000005440000-0x0000000005462000-memory.dmp

memory/3960-166-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/3960-165-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/3748-172-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4336-179-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123c07201_Sun16eddc15d.exe

MD5 e2c982d6178375365eb7977c873b3a63
SHA1 f86b9f418a01fdb93018d10ad289f79cfa8a72ae
SHA256 d4b90392cc143ffe8cc6ec13a76f46280ebd1568c4426c5f7779abdc8f1804f6
SHA512 83c25a01288cc35d2c99cc3176b3bf3b10d940141093f7a160a843a8e330315066c4751a423df2147f6f2def01332dbcfe539b469a74de4c2605d74ed9c39f1d

memory/4856-183-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3960-170-0x0000000005620000-0x0000000005974000-memory.dmp

memory/2240-125-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/4788-121-0x0000000076750000-0x0000000076965000-memory.dmp

memory/3960-122-0x0000000000D00000-0x0000000000D36000-memory.dmp

memory/4788-120-0x0000000000400000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123d53987_Sun167d37725.exe

MD5 08f817588ebd16413a5081bfd5628f16
SHA1 9ae4bbfab9c1639dcd12a910f7fae8b027b16b44
SHA256 835689c6185fa6765c17ce947fcb0f5c1ceec8f405bedc15632d0743299a5882
SHA512 2a48dd89970f64e2858811795f24f2be0c98733bc66909baa73143394d708c0a3aaad498836ed912cc0f96c82482e01d920a73b1787291d2e38dda5fe2d44779

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12406f6aa_Sun162d98072de.exe

MD5 8cb3f6ba5e7b3b4d71162a0846baaebd
SHA1 19543ffebd39ca3ed9296bfa127d04d4b00e422b
SHA256 a25bd95aeb2115ef24d3545fc11150200f567027c0673daf0bbeede99a651b4a
SHA512 451e5f10d4d9faccc03f529b89cd674a64f2157b0c58792165290ac65f590b03d4fc04820e48cd07431168e11c31c2090d3d68264b95277ad3c3f3df765967e1

memory/4788-115-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123f27aeb_Sun16fd2d2c6.exe

MD5 aa75aa3f07c593b1cd7441f7d8723e14
SHA1 f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256 af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512 b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

memory/4856-109-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db123b5520c_Sun167e6e8e5.exe

MD5 29fa0d00300d275c04b2d0cc3b969c57
SHA1 329b7fbe6ba9ceca9507af8adec6771799c2e841
SHA256 28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
SHA512 4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12463c38c_Sun163f038f56b.exe

MD5 14d0d4049bb131fb31dcb7b3736661e7
SHA1 927d885f395bc5ae04e442b9a56a6bd3908d1447
SHA256 427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5
SHA512 bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994

memory/4788-106-0x0000000000400000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124687449_Sun160c8bdb.exe

MD5 f6c9b83f094c110a003c0a917109c77c
SHA1 7d5a70dc2630aaea4e274e967f6196a17ab89192
SHA256 44d800ab20b4e2681b036f60bdb50410fc5708ddae0ea1256193782c5f6c1797
SHA512 35dd96c5ea635d211eee5c9a7a05d2ea4e61dbbb2e6f0578b2149d9fddbfaf0488183704fff18c0ba79ae2506a6da4c9c55a7d8dcf4dcdf1b40bdd61ffdab9b5

memory/4788-112-0x0000000000400000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db12415525f_Sun165e4b43.exe

MD5 7343332458864c6515115517f6d03472
SHA1 16836826d8dbe16b7e5832f90bc1b8065f5fb852
SHA256 2879d8d2187f5581a500d683c6c3fea8a94f9b3ef4f1913f36b5f5b928baa15e
SHA512 0264831861d58877f8f1e3e95f477509dc9381a66d54617b4a2b858843581e903a483048b6cf4452c21add68a96470228fba618f5e7d02cc13e429f0e8afe6ce

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124390898_Sun1668743e.exe

MD5 f3fa68a9fe766e5c40c56e41754b27a7
SHA1 f3f6a7e1bb2a8724d1e9278be4dbcc25c64e8a14
SHA256 301b9f12179808e82d295dd32c037172fe57b365bdf7f66acbe89e6cf34a5b92
SHA512 027ee5d7f6844474d5520f292763331ebad80449ac7908c209dd8b40654d4ac3ee30d63ac3029c24b83c74a6e42f74cff40b5978f6f7d668496660f2653772bf

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\61db124485050_Sun16393bc6d27.exe

MD5 3284ebb732afafbe79f67d3bcc90835e
SHA1 385a968ae4f9a9849d4a236fd82ffd62d847e12e
SHA256 d0866023aa638155dc8f1f167c67f6f323475e22ae19a073e770e34dc08b2d60
SHA512 bbf6c08f81dce8e39b42822d579100bfcf13469226fc43a343988a782e47d3767e4e7211acbeb7d3a77395b32550ebed7bc05d50ba29c9e17dd572f751610745

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 ba3a98e2a1faacf0ad668b4e9582a109
SHA1 1160c029a6257f776a6ed1cfdc09ae158d613ae3
SHA256 8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5
SHA512 d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

memory/2240-201-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3588-218-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3588-221-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3588-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3960-224-0x0000000005A60000-0x0000000005A7E000-memory.dmp

memory/3588-219-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3960-225-0x0000000005A80000-0x0000000005ACC000-memory.dmp

memory/3588-216-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3588-212-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N8P1C.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3588-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3588-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3588-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3588-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3588-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3588-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3588-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3588-77-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3588-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3588-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3588-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC97D52A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/5024-230-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5024-233-0x0000000004F50000-0x000000000505A000-memory.dmp

memory/5024-232-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/5024-238-0x0000000004E80000-0x0000000004EBC000-memory.dmp

memory/5024-231-0x0000000005280000-0x0000000005898000-memory.dmp

memory/1636-237-0x0000000003290000-0x0000000004290000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61db123d0b1da_Sun16b440cb5.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/2696-239-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/3960-249-0x000000006F0D0000-0x000000006F11C000-memory.dmp

memory/4212-243-0x000000006F0D0000-0x000000006F11C000-memory.dmp

memory/3960-264-0x0000000006C50000-0x0000000006CF3000-memory.dmp

memory/3960-259-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

memory/4212-242-0x00000000072F0000-0x0000000007322000-memory.dmp

memory/4212-266-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/4212-265-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/4212-267-0x0000000007730000-0x000000000773A000-memory.dmp

memory/3960-268-0x0000000007020000-0x00000000070B6000-memory.dmp

memory/4212-269-0x00000000078B0000-0x00000000078C1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 41ec32e9db12c94da1820596492ba4c1
SHA1 cc1f0e21c7ecd1a8f4d01ba009df80e6bc8aa3f0
SHA256 c3c98357e8c2a7fccf6e7a9945f95376321e98ba2d1c5e4d64158e54368bff1f
SHA512 284203a6d335893671569fbb37d7c7b177b00586e7a869e36f1a5c53a6915a5ca16dca5200da5dcee0c66dae3ebea3f7a76e635868c5d219125d22f830a2e92b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 7165e9d7456520d1f1644aa26da7c423
SHA1 177f9116229a021e24f80c4059999c4c52f9e830
SHA256 40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512 fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 26c8f81a55d2c5e93555dbc46f72b019
SHA1 dc902a7fbda9b6bbadb13ea9fb7e960bc65744a2
SHA256 9e84bfe07bb15ef53ab55a9814e1b72e37ddf5c089720997d010da1100a76f46
SHA512 da286a958bc279eea7f027adb807a2525a2415e12b0b24eb30fbf138b883eb8afb9694cd72d5c78a864fdf96b9fd083cd163124a28adc5824728326c5c357a2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

memory/3232-276-0x0000000000400000-0x000000000047C000-memory.dmp

memory/860-280-0x0000000000400000-0x0000000002B95000-memory.dmp

memory/4212-282-0x00000000078E0000-0x00000000078EE000-memory.dmp

memory/4212-283-0x00000000078F0000-0x0000000007904000-memory.dmp

memory/4212-284-0x00000000079E0000-0x00000000079FA000-memory.dmp

memory/4212-285-0x00000000079D0000-0x00000000079D8000-memory.dmp

memory/4788-289-0x0000000076750000-0x0000000076965000-memory.dmp

memory/4788-292-0x0000000000400000-0x0000000000602000-memory.dmp

memory/4788-290-0x00000000770A0000-0x000000007715F000-memory.dmp

memory/1636-291-0x000000002E0B0000-0x000000002E15F000-memory.dmp

memory/1636-295-0x000000002E160000-0x000000002E1FC000-memory.dmp

memory/1636-297-0x000000002E160000-0x000000002E1FC000-memory.dmp

memory/1636-294-0x000000002E160000-0x000000002E1FC000-memory.dmp

memory/3748-307-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1980-311-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1636-319-0x0000000003290000-0x0000000004290000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ee596898c30395a5cb19b03b606f5b71
SHA1 10b1ba74a872f5a6ebf28d280c790c7e47ff5060
SHA256 e689b4e72ef1a710e54fd5848ff36113e492f3310720e41e6e4cc58932277357
SHA512 6f4c26a3e964b890c49eb53a172b51483b775cf7b50aa958eeae44e5dd115135152a10c7275294b8dbff6b8c8e8fb269ccda1bb18452c80a250cda2141334442

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 592891870497d09b73afcf22ee1731fb
SHA1 82f7cc3b319a6b892e71679a25cb456daea8bc0d
SHA256 704f66580a4ff837ac179efee2cb7fb44ed197fb0cb51ba15e949777330f7384
SHA512 26edf0e94adc121c4863ce45d0e64ba307eec92fc7cff6f7911d3c06ae2ed6efe20746e3fb8c1ca0347b1810fce0a6f840415770b9f654daa3d5b9c9b9f35b63

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\763a0a6e-e5ae-44ec-8152-da1afeebd732.tmp

MD5 0ba40329c7220d7e8111372f23243cdf
SHA1 90fc08d301e97d1367cf71cc765ea79a2c471f4d
SHA256 2316417e7513c920e47a1e2aecb40f3dfa5afdb8296806af679af96e496e4356
SHA512 ea2ad3aeae59212fdbcab09abe98c318546c4cf78ce8870128f1997490dd3927751c4d51a2ffda0173565476dcfc215381a9ca4ad2821725d10a1f9fcc674151

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c4f1910d1fcd1b29aba9fd176e46948f
SHA1 54062446b363bd0eb4b297fa4c045352351307e1
SHA256 c48e926cf887f0427d7c9a6ba3e45af33df46371cbc0b8be924360ceff59ca41
SHA512 f4c4392873e2c3647c3b5cc67e522301b836091f2bc3e9e533d7ecdc32020df445fa3692eadddd2b1f021782e2db9a0b63bbdedb88b989ac35996d54b61d916c

memory/4788-382-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/4788-381-0x0000000075CE0000-0x0000000075F61000-memory.dmp

memory/4788-390-0x0000000002DA0000-0x0000000002DC4000-memory.dmp

memory/4788-391-0x0000000071AC0000-0x0000000071B49000-memory.dmp

memory/4788-389-0x0000000076300000-0x00000000763E3000-memory.dmp

memory/4788-392-0x0000000077160000-0x0000000077713000-memory.dmp

memory/4788-395-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/4788-427-0x0000000000400000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir1276_505755360\3dd8069b-30e4-4635-987b-b5751abf95b5.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 9f0f9ae6b6260754da065c68646dd66e
SHA1 61f0c68ffbb60aba4ec60fe8ce29ebbe8753675c
SHA256 21bbcf87691f3b34c22dccb1c78c4fe86281d5c34be013cf62675569b3b1d35d
SHA512 5f831102d71cfe101dc68ac089a100a179028ed84b7bf2a2cc9fb2ff2c82a89ced0a71f3877c556a3183d4d6774f10397d712643c2ae68d663493f7fdfc89232

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 57b592cd2c6aa04af4f83710a775edd5
SHA1 e24fc00ebbb551c6560a57fc34e80e603f61ce0e
SHA256 5f4db545ba5bfad483e2ad51423fefb45e169b6b282131fa5806e9a03e1067e1
SHA512 0113b0aaa2fccb3b86d01479c966fd0b6d858d31a3c82ae73caacc1fc3e7b697c091f4e79fe17af95a582970f0597490c4fd46a72158dcbd45fb229c9696b166

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c0ca56f862944ad5fade5da7e306c36c
SHA1 89f778dcc272e76e59df476ed84f02343041a8e0
SHA256 48933b257643fe9c749d7badfc5ff3b6f92311f5c935c40f101685721099df5a
SHA512 cdd15a6291801b479d983b1925fafdb033d2db81c94808c73bde1d20e3c51bfb384e36283e8c95c070dd80562939328bc10b8ed00416a6462989180104f8a6f3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ea3da2232e2ef1942265de2ae2cfb4f1
SHA1 19a5e86134b09ce65dcbd4a3df09e5e1f8923302
SHA256 3cd6aee888d6f665a08ae6c9bc1aa17f9ce118614079a5a1ee7750f109b19bd6
SHA512 ac939815b224d86ba9e6cb5e9f50d02fb06b342f635406971b510afd2f26fc702daccaf64736eb7dbbec2b71ae98ddaf7bb71c25d3d4138ff7c0090312da4ca9

C:\Users\Admin\AppData\Local\Temp\scoped_dir1276_505755360\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 da481de720a3c66b3989af06b384b858
SHA1 008cf4aa1db111250b8560c7c21667a4b22e3bc6
SHA256 482f0aa58912a6044260fc56cb696c371e16b3d6c0ceb8d2af03bd7ccdda6ff7
SHA512 cb062203d6ef2a8a81aeccf00665ab9d9a0d999fde1e7541eb6e9447fa6342880bac8337a2a3ed753db2a88fb8b4125cde466899ec022492d155253db225b46d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f9c0444306ee5bfc2f0170feb40e4d14
SHA1 b62adc3c2f04ce6eb4c46db39a8f987f45920cc8
SHA256 1f3d18852204e9c6b1ae16e84f2860309ca57d5ed10c001be9aa6b0e6b641589
SHA512 71ce98f0720ebab0a0b81f5f58034d2fa1dfca4873690b8bcfa8265c470d9f13f311f78d4779255bb22b5fe2a27c6a5c01ff806caffd26e84823642903dfb420

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b2e31f39c4efc44c7522338b3125a9e2
SHA1 e6225b72bb9f3157f01bb6800d2b7ce6b4e6a93b
SHA256 717e11d6d144b231b84d0d9573e7f14645d38f98b4663c4f7a5702735bc00ada
SHA512 c27add523949a2f2ac91bb6b467b23e7464144900a156b6abf1e9a14b88c3c0d5e5ef481ea3ede95d4f5994950e23d2f821d815f11aea59f11e0eb3627c22d1e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 87424af882d43c1da1685e2e1f132031
SHA1 9ee4036518a174d9c32bf7b315297d6359852c0c
SHA256 b667f97f1fb0deced12a2d548a0c6db9e5265de8d2849ef11728f6312ad10d90
SHA512 59dc6eeb95bf3d8335499be958fb6bdbbd82b3321a2bfe133a491d60a81e6509ccc44ea718676941a33ebb3c5f3c8921ef549828fca4c1af0924da796ea89b99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cfdccd2429bb3a996a64a1464f4e09bd
SHA1 f33947e969a8581941adcce2d351bfad2b7503ab
SHA256 615bdded8e62c6e5ed85e9d1908eed24b17817e1afebe7d1a3416db6fcaf8a3c
SHA512 1f8050886a6e117d0d80bb3279766080b9d8ab50ad7c1607d5fe1386b5286dad5f983d2afa4dd04c1f6add4701072872ecf39d5f203304d7838fc2f26270b6d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d3b8672e3d33c6119e2c4c795ad4fe68
SHA1 a507b38851d893c426ee58e9fdba8d32023a9765
SHA256 799132f4945df41e63d379d6d3960481cece9da6079c5671d2b93b71b493e9fc
SHA512 ef51958a9bf48a8cca7d850d72acfffdefa6f9daaebbbab01f8ea5c8d4ad15c2d89e7a55b79ed8e5b1636aadaff5d2d96b28e13d8cff32190353ea934e5f1c12

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 78e2a36b34230607ce2c7c1967e0023e
SHA1 a9659752d236e237f5fff6e31a8f15678b1b5221
SHA256 122a402e72fb0087f0ebf5da3bbf7b68a501623f05129207738083ad1ada9c29
SHA512 044a44869b77cc20c196ec6220c753eb97e51a4a577c13e5aef667fa3072ebaa50f9204c60dfd5ebd8af948335d4a46c84804b9f72807bb4ca0ea704d60d295a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 723532f7ed148f12f7015bbafa0eb484
SHA1 662d48727daa92209b154bc49acdb913ab9722e4
SHA256 0e4e4e243c83882765af6e8e2fab7d08178e183986f4b4e5f19e353b7065e431
SHA512 8018ccd7217e6827c9fb5c56cd183ffc25eec0e9dae995cad7e3bbd761dba78679aa317f65b7fd677794902d98a1fd40bbfe63de8bd9f0ef3361af2d84745ca1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e0f63c5eebf2a3cfdbbcdb77a4bd1d6a
SHA1 0f96669c27e96efd60d5930ae735608c07e3cba0
SHA256 f5ac537c375a6ecf750f55eda3f247f8659a4d42d95e15543f8d977f0adade9b
SHA512 1747b2e63343659c9fbdf88d7d1cb2a15968c2b691c67dbfacee9d90ccfacc3baa4ad3ac05dc573bfc5303d669f9977245574719e6200313d4c5f1969ed1ee89

C:\Users\Admin\AppData\Local\Temp\e59ac53.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/740-1017-0x0000000000A70000-0x0000000000A78000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 01:35

Reported

2024-11-07 01:37

Platform

win7-20241023-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123b5520c_Sun167e6e8e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12406f6aa_Sun162d98072de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OFI15.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123f27aeb_Sun16fd2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1248c3618_Sun163d2f1a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12463c38c_Sun163f038f56b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124390898_Sun1668743e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124687449_Sun160c8bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123f27aeb_Sun16fd2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1248c3618_Sun163d2f1a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OFI15.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124687449_Sun160c8bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124390898_Sun1668743e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12463c38c_Sun163f038f56b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OFI15.tmp\61db124581e67_Sun16f69cf5.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12406f6aa_Sun162d98072de.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2584 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123b5520c_Sun167e6e8e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123c07201_Sun16eddc15d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d0b1da_Sun16b440cb5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123d53987_Sun167d37725.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12406f6aa_Sun162d98072de.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12415525f_Sun165e4b43.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124390898_Sun1668743e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124485050_Sun16393bc6d27.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124581e67_Sun16f69cf5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db12463c38c_Sun163f038f56b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db124687449_Sun160c8bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe

61db12415525f_Sun165e4b43.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe

61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123b5520c_Sun167e6e8e5.exe

61db123b5520c_Sun167e6e8e5.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123f27aeb_Sun16fd2d2c6.exe

61db123f27aeb_Sun16fd2d2c6.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1247ebe9a_Sun16487c750.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61db1248c3618_Sun163d2f1a2.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124687449_Sun160c8bdb.exe

61db124687449_Sun160c8bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe

61db124581e67_Sun16f69cf5.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe

61db123c07201_Sun16eddc15d.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe

61db1247ebe9a_Sun16487c750.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1248c3618_Sun163d2f1a2.exe

61db1248c3618_Sun163d2f1a2.exe

C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$70192,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe

61db123d53987_Sun167d37725.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12463c38c_Sun163f038f56b.exe

61db12463c38c_Sun163f038f56b.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12406f6aa_Sun162d98072de.exe

61db12406f6aa_Sun162d98072de.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124390898_Sun1668743e.exe

61db124390898_Sun1668743e.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe

61db124485050_Sun16393bc6d27.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA

C:\Users\Admin\AppData\Local\Temp\is-OFI15.tmp\61db124581e67_Sun16f69cf5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OFI15.tmp\61db124581e67_Sun16f69cf5.tmp" /SL5="$701CC,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe" -u

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 480

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3004 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1496

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61db124485050_Sun16393bc6d27.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61db124485050_Sun16393bc6d27.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1664

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\gM~Z.Ibb

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\gM~Z.Ibb

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FR 212.193.30.45:80 212.193.30.45 tcp
FR 212.193.30.45:443 tcp
US 8.8.8.8:53 kelenxz.xyz udp
FR 212.193.30.45:443 tcp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 noplayboy.com udp
US 8.8.8.8:53 iplogger.org udp
US 52.203.72.196:443 www.listincode.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 enahsmusic.com udp
US 8.8.8.8:53 artmy.top udp
DE 88.99.35.59:63020 tcp
N/A 127.0.0.1:49299 tcp
N/A 127.0.0.1:49301 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 enahsmusic.com udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 104.26.2.46:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 funsystems.me udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 my-4ll-group.bar udp
US 8.8.8.8:53 m525-blockchain32.bar udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
FR 77.233.110.97:8080 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
DE 88.99.35.59:63020 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\setup_install.exe

MD5 a60500da6ed682914acc9c9889ecdb30
SHA1 5ed444ae92eda90cb48a7eb692b7316bbdddcf2e
SHA256 dbd53a82efa7af241b40aa7036ac5967050d31c4aaea8b2d8b7f733f218b3ae9
SHA512 cff66730c208f49f0481173ebf71ff143714508d90489aec3eca7fc60fe038be6e74980734871c58dd83eb2b526c0545dfb48349db9384698f13e0c6666a08dc

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2532-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2532-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS81A302E6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2532-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-74-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2532-73-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2532-72-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2532-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2532-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2532-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124390898_Sun1668743e.exe

MD5 f3fa68a9fe766e5c40c56e41754b27a7
SHA1 f3f6a7e1bb2a8724d1e9278be4dbcc25c64e8a14
SHA256 301b9f12179808e82d295dd32c037172fe57b365bdf7f66acbe89e6cf34a5b92
SHA512 027ee5d7f6844474d5520f292763331ebad80449ac7908c209dd8b40654d4ac3ee30d63ac3029c24b83c74a6e42f74cff40b5978f6f7d668496660f2653772bf

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12415525f_Sun165e4b43.exe

MD5 7343332458864c6515115517f6d03472
SHA1 16836826d8dbe16b7e5832f90bc1b8065f5fb852
SHA256 2879d8d2187f5581a500d683c6c3fea8a94f9b3ef4f1913f36b5f5b928baa15e
SHA512 0264831861d58877f8f1e3e95f477509dc9381a66d54617b4a2b858843581e903a483048b6cf4452c21add68a96470228fba618f5e7d02cc13e429f0e8afe6ce

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123f27aeb_Sun16fd2d2c6.exe

MD5 aa75aa3f07c593b1cd7441f7d8723e14
SHA1 f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256 af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512 b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123b5520c_Sun167e6e8e5.exe

MD5 29fa0d00300d275c04b2d0cc3b969c57
SHA1 329b7fbe6ba9ceca9507af8adec6771799c2e841
SHA256 28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
SHA512 4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411

\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124581e67_Sun16f69cf5.exe

MD5 996061fe21353bf63874579cc6c090cc
SHA1 eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9
SHA256 b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a
SHA512 042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

memory/1980-138-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4NPRN.tmp\61db124581e67_Sun16f69cf5.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1980-149-0x00000000002D0000-0x00000000003AE000-memory.dmp

memory/1980-148-0x00000000002D0000-0x00000000003AE000-memory.dmp

memory/3048-133-0x0000000076D10000-0x0000000076DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1248c3618_Sun163d2f1a2.exe

MD5 58a32a80e87073b560ddd8318975078c
SHA1 fa94fc82dfc3e8acfd0d33cc83c007c34ae46a04
SHA256 cda9a7862fc5a5b28b51448ad2676571012e282fbc652746e4df050d28fe1d59
SHA512 1a0edbddd301ca8b95b32a0491e73ba7de5ad3c5eade61c165a06adb97ea300491e9bfd4aa8c6d3fe0afac51a898d7e42dbeadb4a601a6fd57dcdf97bbc6841b

\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123c07201_Sun16eddc15d.exe

MD5 e2c982d6178375365eb7977c873b3a63
SHA1 f86b9f418a01fdb93018d10ad289f79cfa8a72ae
SHA256 d4b90392cc143ffe8cc6ec13a76f46280ebd1568c4426c5f7779abdc8f1804f6
SHA512 83c25a01288cc35d2c99cc3176b3bf3b10d940141093f7a160a843a8e330315066c4751a423df2147f6f2def01332dbcfe539b469a74de4c2605d74ed9c39f1d

memory/304-120-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124687449_Sun160c8bdb.exe

MD5 f6c9b83f094c110a003c0a917109c77c
SHA1 7d5a70dc2630aaea4e274e967f6196a17ab89192
SHA256 44d800ab20b4e2681b036f60bdb50410fc5708ddae0ea1256193782c5f6c1797
SHA512 35dd96c5ea635d211eee5c9a7a05d2ea4e61dbbb2e6f0578b2149d9fddbfaf0488183704fff18c0ba79ae2506a6da4c9c55a7d8dcf4dcdf1b40bdd61ffdab9b5

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db1247ebe9a_Sun16487c750.exe

MD5 d268fe46ea18023fbcd2bfcb52daae21
SHA1 96a4cd529d33b88096e1ef23d10dce348205e737
SHA256 d45f31cc5cbccbf3319a73964344536264c85909ca43d8639a437b3f47f38640
SHA512 1b39ec7d2f6087890e3d4ef2362418f02d18dc2b38535584ff8eda16f7db8fe604bcee65648e32a77dbc3f09e8057ac49407a3c721e06816815c60baebb91c75

\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d0b1da_Sun16b440cb5.exe

MD5 3e52b9d96ebb916e79769c0ed601bb06
SHA1 f12d72f429e4f6126efe3aab708d057e761bd53c
SHA256 114613b6e775967d70c998abbf651018a21acbd9ea84dd0f7582ead6a9f07289
SHA512 ab981251eb64fd4616d8c3278df3cdcebe93f86cc9382adb4967869b83a3f7e3315449e2f3c7edba33b55f15ead7d0a78d39f9a7bc48901904e6ac3c5e4b9f71

memory/3048-137-0x0000000000EF0000-0x00000000010F2000-memory.dmp

memory/3048-136-0x0000000000EF0000-0x00000000010F2000-memory.dmp

memory/552-135-0x00000000027E0000-0x00000000028BE000-memory.dmp

memory/552-134-0x00000000027E0000-0x00000000028BE000-memory.dmp

memory/3048-132-0x0000000076BF0000-0x0000000076C37000-memory.dmp

memory/3048-131-0x0000000000400000-0x0000000000602000-memory.dmp

memory/3048-130-0x0000000000350000-0x0000000000351000-memory.dmp

memory/3048-129-0x0000000000400000-0x0000000000602000-memory.dmp

memory/3048-102-0x0000000000400000-0x0000000000602000-memory.dmp

memory/1864-100-0x00000000027F0000-0x00000000029F2000-memory.dmp

memory/1864-99-0x00000000027F0000-0x00000000029F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12463c38c_Sun163f038f56b.exe

MD5 14d0d4049bb131fb31dcb7b3736661e7
SHA1 927d885f395bc5ae04e442b9a56a6bd3908d1447
SHA256 427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5
SHA512 bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db124485050_Sun16393bc6d27.exe

MD5 3284ebb732afafbe79f67d3bcc90835e
SHA1 385a968ae4f9a9849d4a236fd82ffd62d847e12e
SHA256 d0866023aa638155dc8f1f167c67f6f323475e22ae19a073e770e34dc08b2d60
SHA512 bbf6c08f81dce8e39b42822d579100bfcf13469226fc43a343988a782e47d3767e4e7211acbeb7d3a77395b32550ebed7bc05d50ba29c9e17dd572f751610745

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db12406f6aa_Sun162d98072de.exe

MD5 8cb3f6ba5e7b3b4d71162a0846baaebd
SHA1 19543ffebd39ca3ed9296bfa127d04d4b00e422b
SHA256 a25bd95aeb2115ef24d3545fc11150200f567027c0673daf0bbeede99a651b4a
SHA512 451e5f10d4d9faccc03f529b89cd674a64f2157b0c58792165290ac65f590b03d4fc04820e48cd07431168e11c31c2090d3d68264b95277ad3c3f3df765967e1

C:\Users\Admin\AppData\Local\Temp\7zS81A302E6\61db123d53987_Sun167d37725.exe

MD5 08f817588ebd16413a5081bfd5628f16
SHA1 9ae4bbfab9c1639dcd12a910f7fae8b027b16b44
SHA256 835689c6185fa6765c17ce947fcb0f5c1ceec8f405bedc15632d0743299a5882
SHA512 2a48dd89970f64e2858811795f24f2be0c98733bc66909baa73143394d708c0a3aaad498836ed912cc0f96c82482e01d920a73b1787291d2e38dda5fe2d44779

memory/1964-157-0x0000000000AE0000-0x0000000000B6A000-memory.dmp

memory/1728-165-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/672-164-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/2444-161-0x0000000000070000-0x0000000000080000-memory.dmp

memory/1708-166-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PVWTUXO3BTUABAPK8134.temp

MD5 8db4834498323881ae1f765813bfeddc
SHA1 df9fbf1ca140918bb8fd6b3c3a5db7742e02cd93
SHA256 b33bd3012266a26d3d1207946a8748487954826e7c17a00539c8be63fdc96263
SHA512 5a412d6c559a2ec7b37d429587c7332508c7029bc5932aa41db07f095a1f41807b05f9f52abf118cbf2f95fa4c3b0e2113b5559844902d1540735d99d0f56d44

memory/304-177-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EDQMN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-EDQMN.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 ba3a98e2a1faacf0ad668b4e9582a109
SHA1 1160c029a6257f776a6ed1cfdc09ae158d613ae3
SHA256 8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5
SHA512 d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

memory/1864-195-0x00000000027F0000-0x00000000029F2000-memory.dmp

memory/1736-193-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-206-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-204-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-203-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-202-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1736-200-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-198-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-196-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2892-210-0x00000000027D0000-0x00000000037D0000-memory.dmp

memory/3048-217-0x0000000000400000-0x0000000000602000-memory.dmp

memory/2532-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-215-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2532-214-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-213-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2532-212-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2532-211-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 7165e9d7456520d1f1644aa26da7c423
SHA1 177f9116229a021e24f80c4059999c4c52f9e830
SHA256 40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512 fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

memory/1980-221-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3048-220-0x0000000000EF0000-0x00000000010F2000-memory.dmp

memory/552-219-0x00000000027E0000-0x00000000028BE000-memory.dmp

memory/552-218-0x00000000027E0000-0x00000000028BE000-memory.dmp

memory/2680-226-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2532-236-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2532-235-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-234-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-233-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2532-231-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2532-227-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3048-241-0x0000000076D10000-0x0000000076DBC000-memory.dmp

memory/3048-240-0x0000000076BF0000-0x0000000076C37000-memory.dmp

memory/1980-244-0x00000000002D0000-0x00000000003AE000-memory.dmp

memory/1980-243-0x00000000002D0000-0x00000000003AE000-memory.dmp

memory/1708-242-0x0000000000400000-0x0000000000414000-memory.dmp

memory/652-258-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab83B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1808-266-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/1980-267-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2892-271-0x00000000027D0000-0x00000000037D0000-memory.dmp

memory/2892-275-0x000000002D500000-0x000000002D5AF000-memory.dmp

memory/2892-279-0x000000002D5B0000-0x000000002D64C000-memory.dmp

memory/2892-277-0x000000002D5B0000-0x000000002D64C000-memory.dmp

memory/2892-276-0x000000002D5B0000-0x000000002D64C000-memory.dmp

memory/1904-283-0x0000000000400000-0x0000000002B95000-memory.dmp

memory/652-286-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3048-307-0x0000000000AA0000-0x0000000000AC4000-memory.dmp

memory/3048-443-0x0000000000400000-0x0000000000602000-memory.dmp