Malware Analysis Report

2024-11-13 16:53

Sample ID 241109-kzhcas1hlk
Target a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
SHA256 a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
Tags
fabookie gcleaner nullmixer onlylogger redline smokeloader socelars media60603 pub3 aspackv2 backdoor discovery dropper execution infostealer loader spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

Threat Level: Known bad

The file a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger redline smokeloader socelars media60603 pub3 aspackv2 backdoor discovery dropper execution infostealer loader spyware stealer trojan upx

NullMixer

Detect Fabookie payload

GCleaner

Socelars family

Smokeloader family

Nullmixer family

Fabookie family

Redline family

OnlyLogger

SmokeLoader

Gcleaner family

Socelars payload

Fabookie

RedLine

Socelars

Onlylogger family

RedLine payload

Detected Nirsoft tools

OnlyLogger payload

NirSoft WebBrowserPassView

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

ASPack v2.12-2.42

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 09:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 09:02

Reported

2024-11-09 09:04

Platform

win7-20241010-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3A2M90A5EHAHK5K.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 1356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe

621f9482b3cb5_Wed16d6773e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe

621f948449020_Wed163088fdd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe

621f948855a5b_Wed16c9c6da01a3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe

621f94837e687_Wed16b4f13b0b4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe

621f948a0fc8a_Wed1650732795.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe

621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe" -h

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe

621f948b816de_Wed16bd6eaa.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe

621f9486b4516_Wed16eb16ea4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe

621f948d05937_Wed16374c3beda.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe

621f9490c9091_Wed16d3d6c5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe

621f94aa19419_Wed16184b9bf0.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe

621f949237c58_Wed168fc449f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe

621f948fe5007_Wed163feaf0.exe

C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$301E6,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe

621f9490c9091_Wed16d3d6c5.exe

C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp

"C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp" /SL5="$301CC,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$501BC,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" .\ZMJYD.C /s

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 492

C:\Users\Admin\AppData\Local\Temp\3A2M90A5EHAHK5K.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 368 -s 380

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 www.icodeps.com udp
US 8.8.8.8:53 duoproc.net udp
US 172.232.4.213:443 www.icodeps.com tcp
US 172.232.4.213:443 www.icodeps.com tcp
US 172.232.4.213:443 www.icodeps.com tcp
US 172.232.4.213:443 www.icodeps.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 yeager.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 yeager.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 ackerman.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 ackerman.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 fuck-systems.com udp
US 8.8.8.8:53 onenew-cloudapps.com udp
US 8.8.8.8:53 all-smart-green.com udp
US 199.59.243.227:80 all-smart-green.com tcp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 www.hhiuew33.com udp
RU 92.255.57.154:11841 tcp
RU 92.255.57.154:11841 tcp
RU 92.255.57.154:11841 tcp
RU 92.255.57.154:11841 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe

MD5 dc72933d86bf031b858123f48c4fd14f
SHA1 ee6b17d8e965f2175dc7837c1b7cb0020c24a781
SHA256 a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831
SHA512 62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2572-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2572-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2572-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2572-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2572-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2572-66-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2572-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2572-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2572-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2572-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2572-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2572-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2572-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2572-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2572-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe

MD5 c5ae00bc9521abc87b2143826b88731a
SHA1 ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e
SHA256 2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1
SHA512 1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe

MD5 894759b7ce3835029711d032205ec472
SHA1 e8824dffbc468e4dcdfd06094597776b3c4be593
SHA256 c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044
SHA512 ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe

MD5 e1a8bb1c0d082168f5433a1bdd03b66b
SHA1 71e43669b4a74b4f830d3e74f5750dc7be78e085
SHA256 1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929
SHA512 11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe

MD5 5b667f4b728b93ed5951e7bfddf8fb21
SHA1 00258995bd0f0b43af92656d217903e62b4229bd
SHA256 ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1
SHA512 4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe

MD5 f47ef25d6fbd8fb1709ac978104480d9
SHA1 861dee7ae35269baf7429147f1089004dbdbbc75
SHA256 b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788
SHA512 cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8

memory/2304-85-0x0000000000180000-0x0000000000194000-memory.dmp

memory/1292-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe

MD5 aa5254e8284e33aa8f60e9f4e9e8b1c5
SHA1 465f8b854048fc21a99b2f746c961bea598a4c38
SHA256 9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323
SHA512 024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe

MD5 9955dd419c83119488778affdab16717
SHA1 da24a018dc2411f9c646c8770b34ad659387e931
SHA256 91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f
SHA512 e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe

MD5 afe6087457ae59ca0d071370f60a3e86
SHA1 b576cae50f011161d729a257ea3c3f3ff9b47dd6
SHA256 d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95
SHA512 3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570

memory/2572-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1292-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1144-146-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2260-145-0x0000000000AA0000-0x0000000000C28000-memory.dmp

memory/1292-143-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2260-154-0x0000000000C30000-0x0000000000DB8000-memory.dmp

memory/2260-158-0x0000000000AA0000-0x0000000000C28000-memory.dmp

memory/2128-164-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8N1GAL8IN3SZP8EEQT2.temp

MD5 b2f0db58d86b1bcf5d66c58f9c26229c
SHA1 5d57d4ff5f6a701dff497b4489d399b1e729e32c
SHA256 bffad306773e7b84d24ed392861e5719b163dce94cdea97b0f2ced05c12db51c
SHA512 a37950929ca1d29a543278e8317218b97c8dea0863995a1b7bd327ec37766e1862ee411dcc2a8f17f094d3a9c70f2876485facbae5ca9fc90f2fa6a5db41a707

memory/2128-168-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2064-165-0x00000000003E0000-0x000000000040E000-memory.dmp

memory/2128-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1744-162-0x0000000000400000-0x000000000064B000-memory.dmp

memory/2260-161-0x0000000000AA0000-0x0000000000C28000-memory.dmp

memory/2260-160-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/2260-159-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/2260-157-0x0000000000AA0000-0x0000000000C28000-memory.dmp

memory/2072-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2260-155-0x0000000000C30000-0x0000000000DB8000-memory.dmp

memory/472-196-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/948-195-0x0000000000330000-0x00000000003B0000-memory.dmp

memory/948-194-0x0000000000330000-0x00000000003B0000-memory.dmp

memory/2064-193-0x00000000003C0000-0x00000000003C6000-memory.dmp

memory/948-192-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1292-142-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/948-201-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1292-141-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2004-140-0x0000000002260000-0x00000000023E8000-memory.dmp

memory/1292-137-0x0000000000330000-0x0000000000344000-memory.dmp

memory/2572-127-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2572-126-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2572-125-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2572-124-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2572-123-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe

MD5 8f12876ff6f721e9b9786733f923ed5a
SHA1 4898a00c846f82316cc632007966dfb5f626ad43
SHA256 9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533
SHA512 1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48

memory/1292-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1292-118-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1292-117-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1292-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe

MD5 c427835b14238569c986d5543b36e0cb
SHA1 552d3752d6276cf8eebbf0ef976954e340930b14
SHA256 8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458
SHA512 dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe

MD5 749b436db9150b62721e67aa8d5bdebb
SHA1 a5b77f7cede8c4c40d96e941a941862b6a9c1a23
SHA256 9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc
SHA512 ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3

C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe

MD5 65a916a503ac8875b7a38d04f9ec53cd
SHA1 6fe3351cdd4e684ee2eccceabe7ec515f508a6a2
SHA256 bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618
SHA512 574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71

memory/2304-86-0x0000000000180000-0x0000000000194000-memory.dmp

memory/612-202-0x0000000000400000-0x0000000000682000-memory.dmp

memory/1144-203-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp

MD5 83b531c1515044f8241cd9627fbfbe86
SHA1 d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA512 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

C:\Users\Admin\AppData\Local\Temp\is-G0RD0.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2436-213-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1136-214-0x0000000001310000-0x0000000001362000-memory.dmp

memory/2072-231-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2004-232-0x0000000002260000-0x00000000023E8000-memory.dmp

memory/2260-233-0x0000000000AA0000-0x0000000000C28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/2708-238-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2708-239-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/2260-241-0x0000000000C30000-0x0000000000DB8000-memory.dmp

memory/2260-240-0x0000000000C30000-0x0000000000DB8000-memory.dmp

memory/2036-245-0x0000000000400000-0x0000000000670000-memory.dmp

memory/1676-244-0x0000000001F10000-0x0000000002F10000-memory.dmp

memory/2260-249-0x0000000000AA0000-0x0000000000C28000-memory.dmp

memory/472-250-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2256-251-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2928-263-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2928-262-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2928-261-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2928-260-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-258-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2928-256-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2928-254-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2928-252-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2708-265-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/2708-264-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/1536-269-0x000000013F160000-0x000000013F166000-memory.dmp

memory/2036-270-0x0000000000400000-0x0000000000670000-memory.dmp

memory/1676-271-0x0000000001F10000-0x0000000002F10000-memory.dmp

memory/2260-278-0x0000000000AA0000-0x0000000000C28000-memory.dmp

memory/2708-290-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2708-291-0x0000000000240000-0x000000000024D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 09:02

Reported

2024-11-09 09:04

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe
PID 1304 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe
PID 1304 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe
PID 3376 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 201.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\setup_install.exe

MD5 dc72933d86bf031b858123f48c4fd14f
SHA1 ee6b17d8e965f2175dc7837c1b7cb0020c24a781
SHA256 a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831
SHA512 62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/3376-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3376-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3376-70-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f94aa19419_Wed16184b9bf0.exe

MD5 9955dd419c83119488778affdab16717
SHA1 da24a018dc2411f9c646c8770b34ad659387e931
SHA256 91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f
SHA512 e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90

memory/1772-95-0x0000000004BF0000-0x0000000005218000-memory.dmp

memory/1772-94-0x0000000004520000-0x0000000004556000-memory.dmp

memory/1772-98-0x00000000054B0000-0x0000000005516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhkcpbtx.mdh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1772-108-0x0000000005620000-0x0000000005974000-memory.dmp

memory/1772-97-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/1772-109-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

memory/1772-110-0x0000000005B00000-0x0000000005B4C000-memory.dmp

memory/1772-96-0x0000000004B00000-0x0000000004B22000-memory.dmp

memory/3376-93-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3376-92-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3376-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1772-122-0x00000000060C0000-0x00000000060DE000-memory.dmp

memory/1772-123-0x00000000060E0000-0x0000000006183000-memory.dmp

memory/1772-112-0x0000000070C60000-0x0000000070CAC000-memory.dmp

memory/1772-111-0x0000000006080000-0x00000000060B2000-memory.dmp

memory/3376-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3376-88-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1772-125-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

memory/1772-124-0x0000000007430000-0x0000000007AAA000-memory.dmp

memory/3376-84-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f9490c9091_Wed16d3d6c5.exe

MD5 65a916a503ac8875b7a38d04f9ec53cd
SHA1 6fe3351cdd4e684ee2eccceabe7ec515f508a6a2
SHA256 bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618
SHA512 574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948fe5007_Wed163feaf0.exe

MD5 749b436db9150b62721e67aa8d5bdebb
SHA1 a5b77f7cede8c4c40d96e941a941862b6a9c1a23
SHA256 9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc
SHA512 ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3

memory/1772-126-0x0000000006E70000-0x0000000006E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948e7f7ef_Wed16b426d6adc1.exe

MD5 afe6087457ae59ca0d071370f60a3e86
SHA1 b576cae50f011161d729a257ea3c3f3ff9b47dd6
SHA256 d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95
SHA512 3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948d05937_Wed16374c3beda.exe

MD5 aa5254e8284e33aa8f60e9f4e9e8b1c5
SHA1 465f8b854048fc21a99b2f746c961bea598a4c38
SHA256 9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323
SHA512 024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948b816de_Wed16bd6eaa.exe

MD5 f47ef25d6fbd8fb1709ac978104480d9
SHA1 861dee7ae35269baf7429147f1089004dbdbbc75
SHA256 b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788
SHA512 cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948a0fc8a_Wed1650732795.exe

MD5 8f12876ff6f721e9b9786733f923ed5a
SHA1 4898a00c846f82316cc632007966dfb5f626ad43
SHA256 9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533
SHA512 1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948855a5b_Wed16c9c6da01a3.exe

MD5 894759b7ce3835029711d032205ec472
SHA1 e8824dffbc468e4dcdfd06094597776b3c4be593
SHA256 c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044
SHA512 ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f9486b4516_Wed16eb16ea4.exe

MD5 e1a8bb1c0d082168f5433a1bdd03b66b
SHA1 71e43669b4a74b4f830d3e74f5750dc7be78e085
SHA256 1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929
SHA512 11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f948449020_Wed163088fdd.exe

MD5 c5ae00bc9521abc87b2143826b88731a
SHA1 ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e
SHA256 2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1
SHA512 1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f94837e687_Wed16b4f13b0b4.exe

MD5 5b667f4b728b93ed5951e7bfddf8fb21
SHA1 00258995bd0f0b43af92656d217903e62b4229bd
SHA256 ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1
SHA512 4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77

memory/1772-127-0x0000000007060000-0x00000000070F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f9482b3cb5_Wed16d6773e4.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/3376-69-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3376-68-0x00000000007B0000-0x000000000083F000-memory.dmp

memory/3376-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3376-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3376-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3376-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3376-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3376-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3376-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3376-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1772-128-0x0000000006FF0000-0x0000000007001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\621f949237c58_Wed168fc449f.exe

MD5 c427835b14238569c986d5543b36e0cb
SHA1 552d3752d6276cf8eebbf0ef976954e340930b14
SHA256 8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458
SHA512 dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8

memory/3376-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3376-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS815C9897\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1772-129-0x0000000007020000-0x000000000702E000-memory.dmp

memory/1772-130-0x0000000007030000-0x0000000007044000-memory.dmp

memory/1772-131-0x0000000007120000-0x000000000713A000-memory.dmp

memory/1772-132-0x0000000007110000-0x0000000007118000-memory.dmp