Analysis Overview
SHA256
a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
Threat Level: Known bad
The file a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb was found to be: Known bad.
Malicious Activity Summary
NullMixer
Detect Fabookie payload
GCleaner
Socelars family
Smokeloader family
Nullmixer family
Fabookie family
Redline family
OnlyLogger
SmokeLoader
Gcleaner family
Socelars payload
Fabookie
RedLine
Socelars
Onlylogger family
RedLine payload
Detected Nirsoft tools
OnlyLogger payload
NirSoft WebBrowserPassView
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
ASPack v2.12-2.42
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 09:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 09:02
Reported
2024-11-09 09:04
Platform
win7-20241010-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SmokeLoader
Smokeloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2272 set thread context of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe |
| PID 1136 set thread context of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3A2M90A5EHAHK5K.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3A2M90A5EHAHK5K.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
621f9482b3cb5_Wed16d6773e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
621f948449020_Wed163088fdd.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe
621f948855a5b_Wed16c9c6da01a3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe
621f94837e687_Wed16b4f13b0b4.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe
621f948a0fc8a_Wed1650732795.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe
621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe" -h
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe
621f948b816de_Wed16bd6eaa.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe
621f9486b4516_Wed16eb16ea4.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe
621f948d05937_Wed16374c3beda.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe
621f9490c9091_Wed16d3d6c5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe
621f94aa19419_Wed16184b9bf0.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe
621f949237c58_Wed168fc449f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe
621f948fe5007_Wed163feaf0.exe
C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$301E6,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe
621f9490c9091_Wed16d3d6c5.exe
C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp" /SL5="$301CC,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$501BC,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" .\ZMJYD.C /s
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 492
C:\Users\Admin\AppData\Local\Temp\3A2M90A5EHAHK5K.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 368 -s 380
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 8.8.8.8:53 | www.icodeps.com | udp |
| US | 8.8.8.8:53 | duoproc.net | udp |
| US | 172.232.4.213:443 | www.icodeps.com | tcp |
| US | 172.232.4.213:443 | www.icodeps.com | tcp |
| US | 172.232.4.213:443 | www.icodeps.com | tcp |
| US | 172.232.4.213:443 | www.icodeps.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | yeager.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.3:80 | yeager.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | ackerman.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.3:80 | ackerman.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | fuck-systems.com | udp |
| US | 8.8.8.8:53 | onenew-cloudapps.com | udp |
| US | 8.8.8.8:53 | all-smart-green.com | udp |
| US | 199.59.243.227:80 | all-smart-green.com | tcp |
| RU | 92.255.57.154:11841 | tcp | |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| RU | 92.255.57.154:11841 | tcp | |
| RU | 92.255.57.154:11841 | tcp | |
| RU | 92.255.57.154:11841 | tcp | |
| RU | 92.255.57.154:11841 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
| MD5 | dc72933d86bf031b858123f48c4fd14f |
| SHA1 | ee6b17d8e965f2175dc7837c1b7cb0020c24a781 |
| SHA256 | a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831 |
| SHA512 | 62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2572-54-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2572-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2572-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2572-67-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2572-68-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2572-66-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2572-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2572-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2572-76-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2572-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2572-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2572-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2572-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2572-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2572-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
| MD5 | 98c3385d313ae6d4cf1f192830f6b555 |
| SHA1 | 31c572430094e9adbf5b7647c3621b2e8dfa7fe8 |
| SHA256 | 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be |
| SHA512 | fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
| MD5 | c5ae00bc9521abc87b2143826b88731a |
| SHA1 | ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e |
| SHA256 | 2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1 |
| SHA512 | 1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe
| MD5 | 894759b7ce3835029711d032205ec472 |
| SHA1 | e8824dffbc468e4dcdfd06094597776b3c4be593 |
| SHA256 | c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044 |
| SHA512 | ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe
| MD5 | e1a8bb1c0d082168f5433a1bdd03b66b |
| SHA1 | 71e43669b4a74b4f830d3e74f5750dc7be78e085 |
| SHA256 | 1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929 |
| SHA512 | 11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe
| MD5 | 5b667f4b728b93ed5951e7bfddf8fb21 |
| SHA1 | 00258995bd0f0b43af92656d217903e62b4229bd |
| SHA256 | ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1 |
| SHA512 | 4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe
| MD5 | f47ef25d6fbd8fb1709ac978104480d9 |
| SHA1 | 861dee7ae35269baf7429147f1089004dbdbbc75 |
| SHA256 | b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788 |
| SHA512 | cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8 |
memory/2304-85-0x0000000000180000-0x0000000000194000-memory.dmp
memory/1292-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe
| MD5 | aa5254e8284e33aa8f60e9f4e9e8b1c5 |
| SHA1 | 465f8b854048fc21a99b2f746c961bea598a4c38 |
| SHA256 | 9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323 |
| SHA512 | 024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe
| MD5 | 9955dd419c83119488778affdab16717 |
| SHA1 | da24a018dc2411f9c646c8770b34ad659387e931 |
| SHA256 | 91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f |
| SHA512 | e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe
| MD5 | afe6087457ae59ca0d071370f60a3e86 |
| SHA1 | b576cae50f011161d729a257ea3c3f3ff9b47dd6 |
| SHA256 | d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95 |
| SHA512 | 3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570 |
memory/2572-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1292-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1144-146-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2260-145-0x0000000000AA0000-0x0000000000C28000-memory.dmp
memory/1292-143-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2260-154-0x0000000000C30000-0x0000000000DB8000-memory.dmp
memory/2260-158-0x0000000000AA0000-0x0000000000C28000-memory.dmp
memory/2128-164-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8N1GAL8IN3SZP8EEQT2.temp
| MD5 | b2f0db58d86b1bcf5d66c58f9c26229c |
| SHA1 | 5d57d4ff5f6a701dff497b4489d399b1e729e32c |
| SHA256 | bffad306773e7b84d24ed392861e5719b163dce94cdea97b0f2ced05c12db51c |
| SHA512 | a37950929ca1d29a543278e8317218b97c8dea0863995a1b7bd327ec37766e1862ee411dcc2a8f17f094d3a9c70f2876485facbae5ca9fc90f2fa6a5db41a707 |
memory/2128-168-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2064-165-0x00000000003E0000-0x000000000040E000-memory.dmp
memory/2128-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1744-162-0x0000000000400000-0x000000000064B000-memory.dmp
memory/2260-161-0x0000000000AA0000-0x0000000000C28000-memory.dmp
memory/2260-160-0x00000000002F0000-0x00000000002F2000-memory.dmp
memory/2260-159-0x00000000002A0000-0x00000000002E2000-memory.dmp
memory/2260-157-0x0000000000AA0000-0x0000000000C28000-memory.dmp
memory/2072-152-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2260-155-0x0000000000C30000-0x0000000000DB8000-memory.dmp
memory/472-196-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | 94989927a6611e1919f84e1871922b63 |
| SHA1 | b602e4c47c9c42c273b68a1ce85f0814c0e05deb |
| SHA256 | 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17 |
| SHA512 | ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e |
memory/948-195-0x0000000000330000-0x00000000003B0000-memory.dmp
memory/948-194-0x0000000000330000-0x00000000003B0000-memory.dmp
memory/2064-193-0x00000000003C0000-0x00000000003C6000-memory.dmp
memory/948-192-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1292-142-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/948-201-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1292-141-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2004-140-0x0000000002260000-0x00000000023E8000-memory.dmp
memory/1292-137-0x0000000000330000-0x0000000000344000-memory.dmp
memory/2572-127-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2572-126-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2572-125-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2572-124-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2572-123-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe
| MD5 | 8f12876ff6f721e9b9786733f923ed5a |
| SHA1 | 4898a00c846f82316cc632007966dfb5f626ad43 |
| SHA256 | 9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533 |
| SHA512 | 1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48 |
memory/1292-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1292-118-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1292-117-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1292-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe
| MD5 | c427835b14238569c986d5543b36e0cb |
| SHA1 | 552d3752d6276cf8eebbf0ef976954e340930b14 |
| SHA256 | 8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458 |
| SHA512 | dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe
| MD5 | 749b436db9150b62721e67aa8d5bdebb |
| SHA1 | a5b77f7cede8c4c40d96e941a941862b6a9c1a23 |
| SHA256 | 9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc |
| SHA512 | ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3 |
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe
| MD5 | 65a916a503ac8875b7a38d04f9ec53cd |
| SHA1 | 6fe3351cdd4e684ee2eccceabe7ec515f508a6a2 |
| SHA256 | bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618 |
| SHA512 | 574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71 |
memory/2304-86-0x0000000000180000-0x0000000000194000-memory.dmp
memory/612-202-0x0000000000400000-0x0000000000682000-memory.dmp
memory/1144-203-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp
| MD5 | 83b531c1515044f8241cd9627fbfbe86 |
| SHA1 | d2f7096e18531abb963fc9af7ecc543641570ac8 |
| SHA256 | 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c |
| SHA512 | 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b |
C:\Users\Admin\AppData\Local\Temp\is-G0RD0.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2436-213-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1136-214-0x0000000001310000-0x0000000001362000-memory.dmp
memory/2072-231-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2004-232-0x0000000002260000-0x00000000023E8000-memory.dmp
memory/2260-233-0x0000000000AA0000-0x0000000000C28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | d0527733abcc5c58735e11d43061b431 |
| SHA1 | 28de9d191826192721e325787b8a50a84328cffd |
| SHA256 | b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45 |
| SHA512 | 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5 |
memory/2708-238-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2708-239-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/2260-241-0x0000000000C30000-0x0000000000DB8000-memory.dmp
memory/2260-240-0x0000000000C30000-0x0000000000DB8000-memory.dmp
memory/2036-245-0x0000000000400000-0x0000000000670000-memory.dmp
memory/1676-244-0x0000000001F10000-0x0000000002F10000-memory.dmp
memory/2260-249-0x0000000000AA0000-0x0000000000C28000-memory.dmp
memory/472-250-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2256-251-0x0000000000400000-0x0000000000682000-memory.dmp
memory/2928-263-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2928-262-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2928-261-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2928-260-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2928-258-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2928-256-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2928-254-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2928-252-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2708-265-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/2708-264-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/1536-269-0x000000013F160000-0x000000013F166000-memory.dmp
memory/2036-270-0x0000000000400000-0x0000000000670000-memory.dmp
memory/1676-271-0x0000000001F10000-0x0000000002F10000-memory.dmp
memory/2260-278-0x0000000000AA0000-0x0000000000C28000-memory.dmp
memory/2708-290-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2708-291-0x0000000000240000-0x000000000024D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 09:02
Reported
2024-11-09 09:04
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
146s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe
| MD5 | dc72933d86bf031b858123f48c4fd14f |
| SHA1 | ee6b17d8e965f2175dc7837c1b7cb0020c24a781 |
| SHA256 | a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831 |
| SHA512 | 62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/3376-50-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3376-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3376-70-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f94aa19419_Wed16184b9bf0.exe
| MD5 | 9955dd419c83119488778affdab16717 |
| SHA1 | da24a018dc2411f9c646c8770b34ad659387e931 |
| SHA256 | 91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f |
| SHA512 | e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90 |
memory/1772-95-0x0000000004BF0000-0x0000000005218000-memory.dmp
memory/1772-94-0x0000000004520000-0x0000000004556000-memory.dmp
memory/1772-98-0x00000000054B0000-0x0000000005516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhkcpbtx.mdh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1772-108-0x0000000005620000-0x0000000005974000-memory.dmp
memory/1772-97-0x00000000053D0000-0x0000000005436000-memory.dmp
memory/1772-109-0x0000000005AC0000-0x0000000005ADE000-memory.dmp
memory/1772-110-0x0000000005B00000-0x0000000005B4C000-memory.dmp
memory/1772-96-0x0000000004B00000-0x0000000004B22000-memory.dmp
memory/3376-93-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3376-92-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3376-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1772-122-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/1772-123-0x00000000060E0000-0x0000000006183000-memory.dmp
memory/1772-112-0x0000000070C60000-0x0000000070CAC000-memory.dmp
memory/1772-111-0x0000000006080000-0x00000000060B2000-memory.dmp
memory/3376-90-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3376-88-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1772-125-0x0000000006DF0000-0x0000000006E0A000-memory.dmp
memory/1772-124-0x0000000007430000-0x0000000007AAA000-memory.dmp
memory/3376-84-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f9490c9091_Wed16d3d6c5.exe
| MD5 | 65a916a503ac8875b7a38d04f9ec53cd |
| SHA1 | 6fe3351cdd4e684ee2eccceabe7ec515f508a6a2 |
| SHA256 | bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618 |
| SHA512 | 574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948fe5007_Wed163feaf0.exe
| MD5 | 749b436db9150b62721e67aa8d5bdebb |
| SHA1 | a5b77f7cede8c4c40d96e941a941862b6a9c1a23 |
| SHA256 | 9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc |
| SHA512 | ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3 |
memory/1772-126-0x0000000006E70000-0x0000000006E7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948e7f7ef_Wed16b426d6adc1.exe
| MD5 | afe6087457ae59ca0d071370f60a3e86 |
| SHA1 | b576cae50f011161d729a257ea3c3f3ff9b47dd6 |
| SHA256 | d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95 |
| SHA512 | 3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948d05937_Wed16374c3beda.exe
| MD5 | aa5254e8284e33aa8f60e9f4e9e8b1c5 |
| SHA1 | 465f8b854048fc21a99b2f746c961bea598a4c38 |
| SHA256 | 9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323 |
| SHA512 | 024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948b816de_Wed16bd6eaa.exe
| MD5 | f47ef25d6fbd8fb1709ac978104480d9 |
| SHA1 | 861dee7ae35269baf7429147f1089004dbdbbc75 |
| SHA256 | b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788 |
| SHA512 | cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948a0fc8a_Wed1650732795.exe
| MD5 | 8f12876ff6f721e9b9786733f923ed5a |
| SHA1 | 4898a00c846f82316cc632007966dfb5f626ad43 |
| SHA256 | 9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533 |
| SHA512 | 1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948855a5b_Wed16c9c6da01a3.exe
| MD5 | 894759b7ce3835029711d032205ec472 |
| SHA1 | e8824dffbc468e4dcdfd06094597776b3c4be593 |
| SHA256 | c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044 |
| SHA512 | ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f9486b4516_Wed16eb16ea4.exe
| MD5 | e1a8bb1c0d082168f5433a1bdd03b66b |
| SHA1 | 71e43669b4a74b4f830d3e74f5750dc7be78e085 |
| SHA256 | 1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929 |
| SHA512 | 11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49 |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948449020_Wed163088fdd.exe
| MD5 | c5ae00bc9521abc87b2143826b88731a |
| SHA1 | ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e |
| SHA256 | 2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1 |
| SHA512 | 1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a |
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f94837e687_Wed16b4f13b0b4.exe
| MD5 | 5b667f4b728b93ed5951e7bfddf8fb21 |
| SHA1 | 00258995bd0f0b43af92656d217903e62b4229bd |
| SHA256 | ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1 |
| SHA512 | 4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77 |
memory/1772-127-0x0000000007060000-0x00000000070F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f9482b3cb5_Wed16d6773e4.exe
| MD5 | 98c3385d313ae6d4cf1f192830f6b555 |
| SHA1 | 31c572430094e9adbf5b7647c3621b2e8dfa7fe8 |
| SHA256 | 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be |
| SHA512 | fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff |
memory/3376-69-0x0000000064941000-0x000000006494F000-memory.dmp
memory/3376-68-0x00000000007B0000-0x000000000083F000-memory.dmp
memory/3376-67-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3376-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3376-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3376-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3376-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3376-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3376-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3376-59-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1772-128-0x0000000006FF0000-0x0000000007001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f949237c58_Wed168fc449f.exe
| MD5 | c427835b14238569c986d5543b36e0cb |
| SHA1 | 552d3752d6276cf8eebbf0ef976954e340930b14 |
| SHA256 | 8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458 |
| SHA512 | dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8 |
memory/3376-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3376-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1772-129-0x0000000007020000-0x000000000702E000-memory.dmp
memory/1772-130-0x0000000007030000-0x0000000007044000-memory.dmp
memory/1772-131-0x0000000007120000-0x000000000713A000-memory.dmp
memory/1772-132-0x0000000007110000-0x0000000007118000-memory.dmp