Malware Analysis Report

2024-11-13 16:53

Sample ID 241109-gkcxgs1rel
Target 476257ebcbb7ecfa831e625b1d110d6b
SHA256 f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc
Tags
fabookie gcleaner redline smokeloader bernard05 pub3 backdoor discovery execution infostealer loader spyware stealer trojan vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc

Threat Level: Known bad

The file 476257ebcbb7ecfa831e625b1d110d6b was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner redline smokeloader bernard05 pub3 backdoor discovery execution infostealer loader spyware stealer trojan vmprotect

Fabookie family

Fabookie

Gcleaner family

RedLine

SmokeLoader

Smokeloader family

GCleaner

Detect Fabookie payload

Redline family

RedLine payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

VMProtect packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:51

Reported

2024-11-09 05:54

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MIG34.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e6a6a3b_9dab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MIG34.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MIG34.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\myinstaller\is-FUBJP.tmp C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp N/A
File opened for modification C:\Program Files (x86)\myinstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp N/A
File created C:\Program Files (x86)\myinstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MIG34.tmp\628e54e02a93b_c820032.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e3a0747_ed24a9c5da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e108f5b_e0c250f52b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 268 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe

"C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe

628e54db139b7_3622eb547b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe

628e54dd948c8_bdbfe0e55.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e108f5b_e0c250f52b.exe

628e54e108f5b_e0c250f52b.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe

628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe

628e54e90ed62_5334eb4d12.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe

628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe

628e54eb12f29_19a8386c8a.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe

"C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe" -h

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e3a0747_ed24a9c5da.exe

628e54e3a0747_ed24a9c5da.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe

628e54e02a93b_c820032.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\is-MIG34.tmp\628e54e02a93b_c820032.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MIG34.tmp\628e54e02a93b_c820032.tmp" /SL5="$50192,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe"

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e6a6a3b_9dab9e.exe

628e54e6a6a3b_9dab9e.exe

C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B8T0K.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$A0016,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe

"C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe" /VERYSILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp" /SL5="$30172,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe" /VERYSILENT

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2140 -s 480

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "628e54e90ed62_5334eb4d12.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 kaoru-hanayama.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 glicefud.com udp
PL 151.115.10.4:80 kaoru-hanayama.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 cristaline.s3.pl-waw.scw.cloud udp
PL 151.115.10.4:80 cristaline.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 multilow.com udp
US 8.8.8.8:53 buyinvestment24.com udp
US 8.8.8.8:53 best-boutique-clu2.xyz udp
US 8.8.8.8:53 best-atel1er.com udp
US 8.8.8.8:53 www.hhiuew33.com udp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 74.215.36.107:8080 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 74.215.36.107:8080 tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 sifddfks.mediagemslive.com udp
US 172.67.206.4:443 sifddfks.mediagemslive.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
FR 212.192.246.217:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 62c031e5a7ff452d122856ceb0fab07d
SHA1 d4ec184055acd1fa5cee0e9a0af478ce21c6921d
SHA256 e2ccabb2928b7d5f92e55cc60a4ed9e9e0c67349b393adf6eb8072980f5ebefa
SHA512 019cebfbf9bb36c1a57494332e724aac6d3e8afd35a76ed01ee337191c0faf46822f339db883340132ec4d433fee31afd315620c3d705f989b6d0d8750d5c67c

\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\setup_install.exe

MD5 f4390b2aa142600086e06d96c6c6d43d
SHA1 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e
SHA256 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d
SHA512 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a

\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54db139b7_3622eb547b.exe

MD5 11bb40d70366b08049ba60475a966247
SHA1 352319c07af069cd92c888053ef1a64da94afe3e
SHA256 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d
SHA512 d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dd948c8_bdbfe0e55.exe

MD5 c502751e146757341de931736af21225
SHA1 4e100575fd329b47d3b358bbf3313b8c656005fb
SHA256 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01
SHA512 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e108f5b_e0c250f52b.exe

MD5 3c7723d13222b4958456a20d311cc8c4
SHA1 d31b6202a187f9718a6772c0895f43d71558da8c
SHA256 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e
SHA512 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e02a93b_c820032.exe

MD5 43eaf2e2226cd28ba7142ddfdd47356e
SHA1 410c2586b4b181976a93534deefe6d46aa58bfd1
SHA256 a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
SHA512 ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54dc06ca5_d13f73d.exe

MD5 021818706fc0edce007e288a2c236108
SHA1 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b
SHA256 f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee
SHA512 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e3a0747_ed24a9c5da.exe

MD5 0b3797915ac9117308dbd3233bf2704e
SHA1 1b5ae1898b98ef37897c62cce18014ff004df48b
SHA256 b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57
SHA512 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f

memory/2780-74-0x0000000000400000-0x0000000000519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54eb12f29_19a8386c8a.exe

MD5 739240f8376ccdfed36beda76bcab764
SHA1 be54ead2c06e3389743ac3356a2dfa936b43047b
SHA256 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a
SHA512 ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e90ed62_5334eb4d12.exe

MD5 24c5458c851184d7ea7f112380217a4f
SHA1 85d24abfd8060a3fc5d0a1701f173dcc531b4de5
SHA256 a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b
SHA512 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048

\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e5260e5_73b5a3dba.exe

MD5 bb56078ddaa0e5e1a98a0785c0ef766c
SHA1 c42a1c57a5680a91a0958bad0181556149516daa
SHA256 def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da
SHA512 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9

memory/1156-114-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e7eb628_9d99fab57f.exe

MD5 ac65f2c596bea94c9b50a39925efd184
SHA1 99266bed39b8888bb5454b433529641b441b0df4
SHA256 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a
SHA512 b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb

memory/2736-107-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2720-139-0x0000000001380000-0x00000000013FC000-memory.dmp

memory/692-150-0x0000000000400000-0x0000000000409000-memory.dmp

memory/692-148-0x0000000000400000-0x0000000000409000-memory.dmp

memory/692-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1156-146-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2108-145-0x0000000000400000-0x000000000071A000-memory.dmp

memory/448-132-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2140-130-0x0000000140000000-0x0000000140615000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS42A4CEF6\628e54e6a6a3b_9dab9e.exe

MD5 aa361f61a27919a04dbc72eb8b0c1c56
SHA1 e1be1931ce09e9273c5d00a1b64d24245c240d82
SHA256 c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854
SHA512 b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872

memory/2780-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2584-151-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BAFUL.tmp\628e54e02a93b_c820032.tmp

MD5 892965cf131bc5a238d8c7a190718c80
SHA1 dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb
SHA256 724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e
SHA512 729996beead85b36acfe2172255559ef388c9a31303c3a1e4403be819d5c4b005e4cdae950ff04047d15f10fb8be8fb27f529a8c66bf29319e944068905a1954

C:\Users\Admin\AppData\Local\Temp\is-OP4AF.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2584-158-0x0000000000430000-0x0000000000436000-memory.dmp

memory/2880-161-0x0000000002240000-0x0000000003240000-memory.dmp

memory/1268-162-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2880-163-0x000000002DD70000-0x000000002DE24000-memory.dmp

memory/2132-167-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2880-169-0x000000002DE30000-0x000000002DED0000-memory.dmp

memory/2880-172-0x000000002DE30000-0x000000002DED0000-memory.dmp

memory/2736-168-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1804-176-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1804-174-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1804-173-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2880-177-0x000000002DE30000-0x000000002DED0000-memory.dmp

memory/2880-178-0x000000002DED0000-0x000000002F088000-memory.dmp

memory/2880-179-0x000000002F090000-0x000000002F129000-memory.dmp

memory/2880-180-0x000000002F130000-0x000000002F1C4000-memory.dmp

memory/2880-182-0x000000002F130000-0x000000002F1C4000-memory.dmp

memory/2880-183-0x000000002F130000-0x000000002F1C4000-memory.dmp

memory/1996-184-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2880-185-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2880-186-0x0000000000060000-0x0000000000064000-memory.dmp

memory/856-187-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/448-194-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2264-193-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2880-195-0x0000000002240000-0x0000000003240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 05:51

Reported

2024-11-09 05:54

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4428 set thread context of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 876 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 876 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4352 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe
PID 4352 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe
PID 4352 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe
PID 4084 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4444 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4444 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e6a6a3b_9dab9e.exe
PID 1388 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e6a6a3b_9dab9e.exe
PID 2716 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 2716 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 2716 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 3036 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe
PID 3036 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe
PID 3036 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe
PID 860 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe
PID 860 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe
PID 860 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe
PID 2496 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp
PID 2496 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp
PID 2496 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp
PID 4428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 4428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 4428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 4428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe
PID 4428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe

"C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e6a6a3b_9dab9e.exe

628e54e6a6a3b_9dab9e.exe

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe

628e54eb12f29_19a8386c8a.exe

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe

628e54e90ed62_5334eb4d12.exe

C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$402B4,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1564 -ip 1564

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "628e54e90ed62_5334eb4d12.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1412

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 kaoru-hanayama.s3.pl-waw.scw.cloud udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 glicefud.com udp
PL 151.115.10.4:80 kaoru-hanayama.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 cristaline.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 cristaline.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 3.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 62c031e5a7ff452d122856ceb0fab07d
SHA1 d4ec184055acd1fa5cee0e9a0af478ce21c6921d
SHA256 e2ccabb2928b7d5f92e55cc60a4ed9e9e0c67349b393adf6eb8072980f5ebefa
SHA512 019cebfbf9bb36c1a57494332e724aac6d3e8afd35a76ed01ee337191c0faf46822f339db883340132ec4d433fee31afd315620c3d705f989b6d0d8750d5c67c

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\setup_install.exe

MD5 f4390b2aa142600086e06d96c6c6d43d
SHA1 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e
SHA256 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d
SHA512 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e90ed62_5334eb4d12.exe

MD5 24c5458c851184d7ea7f112380217a4f
SHA1 85d24abfd8060a3fc5d0a1701f173dcc531b4de5
SHA256 a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b
SHA512 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54eb12f29_19a8386c8a.exe

MD5 739240f8376ccdfed36beda76bcab764
SHA1 be54ead2c06e3389743ac3356a2dfa936b43047b
SHA256 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a
SHA512 ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b

memory/4084-66-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e7eb628_9d99fab57f.exe

MD5 ac65f2c596bea94c9b50a39925efd184
SHA1 99266bed39b8888bb5454b433529641b441b0df4
SHA256 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a
SHA512 b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e6a6a3b_9dab9e.exe

MD5 aa361f61a27919a04dbc72eb8b0c1c56
SHA1 e1be1931ce09e9273c5d00a1b64d24245c240d82
SHA256 c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854
SHA512 b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872

memory/3120-73-0x0000000002770000-0x00000000027A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-04C5I.tmp\628e54eb12f29_19a8386c8a.tmp

MD5 a5ea5f8ae934ab6efe216fc1e4d1b6dc
SHA1 cb52a9e2aa2aa0e6e82fa44879055003a91207d7
SHA256 be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e
SHA512 f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

memory/2552-76-0x0000000140000000-0x0000000140615000-memory.dmp

memory/1980-98-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I41I6.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzqtl2td.lhy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3120-86-0x0000000004E70000-0x0000000004E92000-memory.dmp

memory/3120-93-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/3120-107-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/3120-92-0x0000000005670000-0x00000000056D6000-memory.dmp

memory/1980-84-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3120-75-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/2496-71-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4084-64-0x0000000000400000-0x0000000000519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e5260e5_73b5a3dba.exe

MD5 bb56078ddaa0e5e1a98a0785c0ef766c
SHA1 c42a1c57a5680a91a0958bad0181556149516daa
SHA256 def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da
SHA512 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e3a0747_ed24a9c5da.exe

MD5 0b3797915ac9117308dbd3233bf2704e
SHA1 1b5ae1898b98ef37897c62cce18014ff004df48b
SHA256 b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57
SHA512 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e108f5b_e0c250f52b.exe

MD5 3c7723d13222b4958456a20d311cc8c4
SHA1 d31b6202a187f9718a6772c0895f43d71558da8c
SHA256 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e
SHA512 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54e02a93b_c820032.exe

MD5 43eaf2e2226cd28ba7142ddfdd47356e
SHA1 410c2586b4b181976a93534deefe6d46aa58bfd1
SHA256 a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
SHA512 ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54dc06ca5_d13f73d.exe

MD5 021818706fc0edce007e288a2c236108
SHA1 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b
SHA256 f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee
SHA512 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54db139b7_3622eb547b.exe

MD5 11bb40d70366b08049ba60475a966247
SHA1 352319c07af069cd92c888053ef1a64da94afe3e
SHA256 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d
SHA512 d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d

memory/4084-52-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4084-51-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS001B00B7\628e54dd948c8_bdbfe0e55.exe

MD5 c502751e146757341de931736af21225
SHA1 4e100575fd329b47d3b358bbf3313b8c656005fb
SHA256 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01
SHA512 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a

memory/3120-108-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/3120-109-0x0000000006100000-0x000000000614C000-memory.dmp

memory/3376-113-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2496-115-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1564-116-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3120-117-0x00000000062D0000-0x0000000006302000-memory.dmp

memory/3120-118-0x000000006F150000-0x000000006F19C000-memory.dmp

memory/3120-128-0x0000000006310000-0x000000000632E000-memory.dmp

memory/3120-129-0x0000000006DA0000-0x0000000006E43000-memory.dmp

memory/3120-130-0x00000000076D0000-0x0000000007D4A000-memory.dmp

memory/3120-131-0x0000000007050000-0x000000000706A000-memory.dmp

memory/3120-132-0x00000000070C0000-0x00000000070CA000-memory.dmp

memory/3120-133-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/3120-134-0x0000000007240000-0x0000000007251000-memory.dmp

memory/3120-135-0x0000000007270000-0x000000000727E000-memory.dmp

memory/3120-136-0x0000000007280000-0x0000000007294000-memory.dmp

memory/3120-137-0x0000000007370000-0x000000000738A000-memory.dmp

memory/3120-138-0x0000000007360000-0x0000000007368000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 05:51

Reported

2024-11-09 05:54

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NOSHJ.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e6a6a3b_9dab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NOSHJ.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NOSHJ.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\myinstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A
File created C:\Program Files (x86)\myinstaller\is-1RUCA.tmp C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A
File opened for modification C:\Program Files (x86)\myinstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e3a0747_ed24a9c5da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NOSHJ.tmp\628e54e02a93b_c820032.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e108f5b_e0c250f52b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2580 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe

628e54db139b7_3622eb547b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e108f5b_e0c250f52b.exe

628e54e108f5b_e0c250f52b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe

628e54dd948c8_bdbfe0e55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe

628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe

628e54e90ed62_5334eb4d12.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe

628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe

"C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe" -h

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe

628e54e02a93b_c820032.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe

628e54eb12f29_19a8386c8a.exe

C:\Users\Admin\AppData\Local\Temp\is-NOSHJ.tmp\628e54e02a93b_c820032.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NOSHJ.tmp\628e54e02a93b_c820032.tmp" /SL5="$A0194,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe"

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e6a6a3b_9dab9e.exe

628e54e6a6a3b_9dab9e.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e3a0747_ed24a9c5da.exe

628e54e3a0747_ed24a9c5da.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NI93D.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$30186,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe

"C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp" /SL5="$B0194,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2488 -s 488

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "628e54e90ed62_5334eb4d12.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 kaoru-hanayama.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 glicefud.com udp
PL 151.115.10.4:80 kaoru-hanayama.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 multilow.com udp
US 8.8.8.8:53 buyinvestment24.com udp
US 8.8.8.8:53 cristaline.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 cristaline.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 best-boutique-clu2.xyz udp
US 8.8.8.8:53 best-atel1er.com udp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 74.215.36.107:8080 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 74.215.36.107:8080 tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 sifddfks.mediagemslive.com udp
US 172.67.206.4:443 sifddfks.mediagemslive.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
FR 212.192.246.217:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS41A7B186\setup_install.exe

MD5 f4390b2aa142600086e06d96c6c6d43d
SHA1 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e
SHA256 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d
SHA512 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a

\Users\Admin\AppData\Local\Temp\7zS41A7B186\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2776-48-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2776-47-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54db139b7_3622eb547b.exe

MD5 11bb40d70366b08049ba60475a966247
SHA1 352319c07af069cd92c888053ef1a64da94afe3e
SHA256 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d
SHA512 d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dc06ca5_d13f73d.exe

MD5 021818706fc0edce007e288a2c236108
SHA1 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b
SHA256 f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee
SHA512 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e02a93b_c820032.exe

MD5 43eaf2e2226cd28ba7142ddfdd47356e
SHA1 410c2586b4b181976a93534deefe6d46aa58bfd1
SHA256 a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
SHA512 ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e108f5b_e0c250f52b.exe

MD5 3c7723d13222b4958456a20d311cc8c4
SHA1 d31b6202a187f9718a6772c0895f43d71558da8c
SHA256 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e
SHA512 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54dd948c8_bdbfe0e55.exe

MD5 c502751e146757341de931736af21225
SHA1 4e100575fd329b47d3b358bbf3313b8c656005fb
SHA256 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01
SHA512 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e3a0747_ed24a9c5da.exe

MD5 0b3797915ac9117308dbd3233bf2704e
SHA1 1b5ae1898b98ef37897c62cce18014ff004df48b
SHA256 b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57
SHA512 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e5260e5_73b5a3dba.exe

MD5 bb56078ddaa0e5e1a98a0785c0ef766c
SHA1 c42a1c57a5680a91a0958bad0181556149516daa
SHA256 def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da
SHA512 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9

memory/2776-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2776-65-0x0000000000400000-0x0000000000519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54eb12f29_19a8386c8a.exe

MD5 739240f8376ccdfed36beda76bcab764
SHA1 be54ead2c06e3389743ac3356a2dfa936b43047b
SHA256 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a
SHA512 ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e7eb628_9d99fab57f.exe

MD5 ac65f2c596bea94c9b50a39925efd184
SHA1 99266bed39b8888bb5454b433529641b441b0df4
SHA256 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a
SHA512 b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e6a6a3b_9dab9e.exe

MD5 aa361f61a27919a04dbc72eb8b0c1c56
SHA1 e1be1931ce09e9273c5d00a1b64d24245c240d82
SHA256 c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854
SHA512 b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872

C:\Users\Admin\AppData\Local\Temp\7zS41A7B186\628e54e90ed62_5334eb4d12.exe

MD5 24c5458c851184d7ea7f112380217a4f
SHA1 85d24abfd8060a3fc5d0a1701f173dcc531b4de5
SHA256 a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b
SHA512 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048

memory/2796-86-0x0000000000A50000-0x0000000000A80000-memory.dmp

memory/2536-106-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2020-117-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1180-100-0x00000000000E0000-0x000000000015C000-memory.dmp

memory/2064-124-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2064-122-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2064-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-129-0x0000000140000000-0x0000000140615000-memory.dmp

memory/2796-141-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1176-146-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2536-149-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1780-148-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4QSOM.tmp\628e54e02a93b_c820032.tmp

MD5 892965cf131bc5a238d8c7a190718c80
SHA1 dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb
SHA256 724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e
SHA512 729996beead85b36acfe2172255559ef388c9a31303c3a1e4403be819d5c4b005e4cdae950ff04047d15f10fb8be8fb27f529a8c66bf29319e944068905a1954

C:\Users\Admin\AppData\Local\Temp\is-4N3E4.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2252-159-0x00000000022C0000-0x00000000032C0000-memory.dmp

memory/2572-163-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2020-164-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2348-166-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-165-0x000000002DED0000-0x000000002DF84000-memory.dmp

memory/2348-169-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2348-167-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-170-0x0000000000E00000-0x0000000000EA0000-memory.dmp

memory/2252-173-0x0000000000E00000-0x0000000000EA0000-memory.dmp

memory/2684-174-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2252-175-0x0000000000E00000-0x0000000000EA0000-memory.dmp

memory/2252-176-0x000000002DF90000-0x000000002F148000-memory.dmp

memory/2252-177-0x000000002D180000-0x000000002D219000-memory.dmp

memory/2252-178-0x000000002F150000-0x000000002F1E4000-memory.dmp

memory/2252-180-0x000000002F150000-0x000000002F1E4000-memory.dmp

memory/2252-181-0x000000002F150000-0x000000002F1E4000-memory.dmp

memory/680-182-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2252-184-0x00000000000E0000-0x00000000000E4000-memory.dmp

memory/2252-183-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1176-191-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1448-190-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2000-192-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2252-193-0x00000000022C0000-0x00000000032C0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 05:51

Reported

2024-11-09 05:54

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-QL7MJ.tmp\628e54e02a93b_c820032.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e6a6a3b_9dab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e5260e5_73b5a3dba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A77O7.tmp\628e54eb12f29_19a8386c8a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QL7MJ.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\myinstaller\is-P5I6V.tmp C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp N/A
File opened for modification C:\Program Files (x86)\myinstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp N/A
File created C:\Program Files (x86)\myinstaller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-A77O7.tmp\628e54eb12f29_19a8386c8a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e5260e5_73b5a3dba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QL7MJ.tmp\628e54e02a93b_c820032.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e5260e5_73b5a3dba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe
PID 4916 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe
PID 4916 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe
PID 1496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe
PID 1856 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe
PID 1856 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe
PID 4420 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e6a6a3b_9dab9e.exe
PID 4420 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e6a6a3b_9dab9e.exe
PID 1284 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe
PID 1284 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe
PID 1284 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe
PID 4612 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe
PID 4612 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe
PID 4612 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe
PID 4784 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe
PID 4784 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe
PID 4784 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe
PID 3308 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe
PID 3308 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe
PID 3308 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe
PID 4412 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe
PID 4412 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe
PID 4412 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe
PID 780 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe
PID 780 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe
PID 780 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe
PID 736 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e6a6a3b_9dab9e.exe

628e54e6a6a3b_9dab9e.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe

628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe

628e54dd948c8_bdbfe0e55.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe

628e54e90ed62_5334eb4d12.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe

628e54e108f5b_e0c250f52b.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe

628e54e3a0747_ed24a9c5da.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe

628e54eb12f29_19a8386c8a.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe

628e54e02a93b_c820032.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e5260e5_73b5a3dba.exe

628e54e5260e5_73b5a3dba.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\is-A77O7.tmp\628e54eb12f29_19a8386c8a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A77O7.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$40096,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe

C:\Users\Admin\AppData\Local\Temp\is-QL7MJ.tmp\628e54e02a93b_c820032.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QL7MJ.tmp\628e54e02a93b_c820032.tmp" /SL5="$30264,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe"

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe

628e54e7eb628_9d99fab57f.exe

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe

"C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe" -h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 460

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe

"C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QHADH.tmp\628e54e02a93b_c820032.tmp" /SL5="$702CA,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4712 -ip 4712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1380

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "628e54e90ed62_5334eb4d12.exe" /f

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 kaoru-hanayama.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 kaoru-hanayama.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 glicefud.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cristaline.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 www.hhiuew33.com udp
PL 151.115.10.3:80 cristaline.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 3.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 multilow.com udp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 212.192.246.217:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 74.215.36.107:8080 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 212.192.246.217:80 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 sifddfks.mediagemslive.com udp
US 104.21.61.46:443 sifddfks.mediagemslive.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 46.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 212.192.246.217:80 tcp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 141.95.211.151:34846 tcp
FR 212.192.246.217:80 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 212.192.246.217:80 tcp
FR 141.95.211.151:34846 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\setup_install.exe

MD5 f4390b2aa142600086e06d96c6c6d43d
SHA1 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e
SHA256 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d
SHA512 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e7eb628_9d99fab57f.exe

MD5 ac65f2c596bea94c9b50a39925efd184
SHA1 99266bed39b8888bb5454b433529641b441b0df4
SHA256 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a
SHA512 b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54eb12f29_19a8386c8a.exe

MD5 739240f8376ccdfed36beda76bcab764
SHA1 be54ead2c06e3389743ac3356a2dfa936b43047b
SHA256 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a
SHA512 ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b

memory/1496-54-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e6a6a3b_9dab9e.exe

MD5 aa361f61a27919a04dbc72eb8b0c1c56
SHA1 e1be1931ce09e9273c5d00a1b64d24245c240d82
SHA256 c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854
SHA512 b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872

memory/1492-57-0x0000000000BF0000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dc06ca5_d13f73d.exe

MD5 021818706fc0edce007e288a2c236108
SHA1 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b
SHA256 f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee
SHA512 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2

memory/1496-52-0x0000000000400000-0x0000000000519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e90ed62_5334eb4d12.exe

MD5 24c5458c851184d7ea7f112380217a4f
SHA1 85d24abfd8060a3fc5d0a1701f173dcc531b4de5
SHA256 a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b
SHA512 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e5260e5_73b5a3dba.exe

MD5 bb56078ddaa0e5e1a98a0785c0ef766c
SHA1 c42a1c57a5680a91a0958bad0181556149516daa
SHA256 def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da
SHA512 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9

memory/928-69-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2988-74-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A77O7.tmp\628e54eb12f29_19a8386c8a.tmp

MD5 a5ea5f8ae934ab6efe216fc1e4d1b6dc
SHA1 cb52a9e2aa2aa0e6e82fa44879055003a91207d7
SHA256 be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e
SHA512 f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

memory/2308-78-0x0000000005350000-0x0000000005386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I9E2F.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2308-80-0x0000000005A10000-0x0000000006038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e02a93b_c820032.exe

MD5 43eaf2e2226cd28ba7142ddfdd47356e
SHA1 410c2586b4b181976a93534deefe6d46aa58bfd1
SHA256 a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
SHA512 ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8

memory/3024-63-0x0000000140000000-0x0000000140615000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e3a0747_ed24a9c5da.exe

MD5 0b3797915ac9117308dbd3233bf2704e
SHA1 1b5ae1898b98ef37897c62cce18014ff004df48b
SHA256 b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57
SHA512 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54e108f5b_e0c250f52b.exe

MD5 3c7723d13222b4958456a20d311cc8c4
SHA1 d31b6202a187f9718a6772c0895f43d71558da8c
SHA256 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e
SHA512 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54dd948c8_bdbfe0e55.exe

MD5 c502751e146757341de931736af21225
SHA1 4e100575fd329b47d3b358bbf3313b8c656005fb
SHA256 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01
SHA512 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a

C:\Users\Admin\AppData\Local\Temp\7zS433AE1F7\628e54db139b7_3622eb547b.exe

MD5 11bb40d70366b08049ba60475a966247
SHA1 352319c07af069cd92c888053ef1a64da94afe3e
SHA256 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d
SHA512 d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d

memory/1496-40-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1496-39-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QL7MJ.tmp\628e54e02a93b_c820032.tmp

MD5 892965cf131bc5a238d8c7a190718c80
SHA1 dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb
SHA256 724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e
SHA512 729996beead85b36acfe2172255559ef388c9a31303c3a1e4403be819d5c4b005e4cdae950ff04047d15f10fb8be8fb27f529a8c66bf29319e944068905a1954

C:\Users\Admin\AppData\Local\Temp\is-730RM.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/3972-97-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2308-108-0x0000000006280000-0x00000000062E6000-memory.dmp

memory/2308-107-0x0000000006210000-0x0000000006276000-memory.dmp

memory/2308-112-0x00000000062F0000-0x0000000006644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skrjonts.d1l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3928-124-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2988-126-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3132-113-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2308-106-0x0000000006070000-0x0000000006092000-memory.dmp

memory/928-144-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4472-145-0x0000000005350000-0x0000000005968000-memory.dmp

memory/4472-142-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4472-147-0x0000000004E90000-0x0000000004F9A000-memory.dmp

memory/4472-146-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4940-149-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4472-148-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

memory/4036-133-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4472-150-0x0000000004E00000-0x0000000004E4C000-memory.dmp

memory/2308-153-0x0000000005670000-0x000000000568E000-memory.dmp

memory/4712-164-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1292-163-0x0000000002C80000-0x0000000003C80000-memory.dmp

memory/3132-165-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4816-160-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2308-167-0x000000006E7C0000-0x000000006E80C000-memory.dmp

memory/2308-166-0x0000000007870000-0x00000000078A2000-memory.dmp

memory/2308-177-0x0000000007830000-0x000000000784E000-memory.dmp

memory/1292-179-0x000000002DEF0000-0x000000002DFA4000-memory.dmp

memory/2308-178-0x00000000078B0000-0x0000000007953000-memory.dmp

memory/2308-181-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/2308-180-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/1292-183-0x000000002DFB0000-0x000000002E050000-memory.dmp

memory/2308-182-0x0000000007C80000-0x0000000007C8A000-memory.dmp

memory/1292-186-0x000000002DFB0000-0x000000002E050000-memory.dmp

memory/2308-187-0x0000000007E70000-0x0000000007F06000-memory.dmp

memory/2308-188-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/2308-189-0x0000000007E30000-0x0000000007E3E000-memory.dmp

memory/2308-190-0x0000000007E40000-0x0000000007E54000-memory.dmp

memory/2308-191-0x0000000007F30000-0x0000000007F4A000-memory.dmp

memory/2308-192-0x0000000007F20000-0x0000000007F28000-memory.dmp

memory/2928-195-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1292-196-0x000000002DFB0000-0x000000002E050000-memory.dmp

memory/1292-197-0x000000002E050000-0x000000002F208000-memory.dmp

memory/1292-198-0x000000002F210000-0x000000002F2A9000-memory.dmp

memory/1292-199-0x000000002F2B0000-0x000000002F344000-memory.dmp

memory/3972-201-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1292-202-0x000000002F2B0000-0x000000002F344000-memory.dmp

memory/1292-203-0x000000002F2B0000-0x000000002F344000-memory.dmp

memory/1292-204-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1292-205-0x0000000000C90000-0x0000000000C94000-memory.dmp

memory/1292-206-0x0000000002C80000-0x0000000003C80000-memory.dmp